ruby-stix2 0.1.0 → 0.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.github/workflows/build.yml +4 -3
- data/Gemfile +1 -1
- data/Gemfile.lock +54 -1
- data/README.md +49 -3
- data/lib/stix2/base.rb +7 -0
- data/lib/stix2/bundle.rb +1 -2
- data/lib/stix2/common.rb +104 -22
- data/lib/stix2/confidence_scale.rb +106 -0
- data/lib/stix2/custom_object.rb +20 -0
- data/lib/stix2/cyberobservable_objects/artifact.rb +1 -1
- data/lib/stix2/cyberobservable_objects/directory.rb +1 -1
- data/lib/stix2/cyberobservable_objects/domain_name.rb +1 -1
- data/lib/stix2/cyberobservable_objects/email_message.rb +7 -7
- data/lib/stix2/cyberobservable_objects/file.rb +2 -2
- data/lib/stix2/cyberobservable_objects/ipv4_addr.rb +4 -4
- data/lib/stix2/cyberobservable_objects/ipv6_addr.rb +4 -4
- data/lib/stix2/cyberobservable_objects/network_traffic.rb +3 -3
- data/lib/stix2/cyberobservable_objects/process.rb +17 -0
- data/lib/stix2/cyberobservable_objects/software.rb +1 -1
- data/lib/stix2/cyberobservable_objects/user_account.rb +4 -4
- data/lib/stix2/cyberobservable_objects/x509_certificate.rb +4 -2
- data/lib/stix2/domain_objects/attack_pattern.rb +3 -3
- data/lib/stix2/domain_objects/campaign.rb +1 -1
- data/lib/stix2/domain_objects/grouping.rb +1 -1
- data/lib/stix2/domain_objects/identity.rb +1 -1
- data/lib/stix2/domain_objects/indicator.rb +2 -2
- data/lib/stix2/domain_objects/infrastructure.rb +3 -3
- data/lib/stix2/domain_objects/intrusion-set.rb +3 -3
- data/lib/stix2/domain_objects/malware.rb +9 -9
- data/lib/stix2/domain_objects/malware_analysis.rb +3 -3
- data/lib/stix2/domain_objects/note.rb +2 -2
- data/lib/stix2/domain_objects/observed_data.rb +1 -1
- data/lib/stix2/domain_objects/opinion.rb +2 -2
- data/lib/stix2/domain_objects/report.rb +2 -2
- data/lib/stix2/domain_objects/threat_actor.rb +6 -6
- data/lib/stix2/domain_objects/tool.rb +3 -3
- data/lib/stix2/enum.rb +81 -22
- data/lib/stix2/extension_definition.rb +10 -0
- data/lib/stix2/extensions/alternate_data_stream_type.rb +9 -0
- data/lib/stix2/extensions/archive_file.rb +8 -0
- data/lib/stix2/extensions/http_request.rb +12 -0
- data/lib/stix2/extensions/icmp.rb +8 -0
- data/lib/stix2/extensions/ntfs.rb +10 -0
- data/lib/stix2/extensions/pdf.rb +11 -0
- data/lib/stix2/extensions/raster_image.rb +10 -0
- data/lib/stix2/extensions/socket.rb +13 -0
- data/lib/stix2/extensions/tcp.rb +8 -0
- data/lib/stix2/extensions/unix_account.rb +10 -0
- data/lib/stix2/extensions/windows_pe_optional_header_type.rb +37 -0
- data/lib/stix2/extensions/windows_pe_section_type.rb +10 -0
- data/lib/stix2/extensions/windows_pebinary.rb +21 -0
- data/lib/stix2/extensions/windows_process.rb +13 -0
- data/lib/stix2/extensions/windows_service.rb +14 -0
- data/lib/stix2/external_reference.rb +2 -6
- data/lib/stix2/identifier.rb +2 -12
- data/lib/stix2/kill_chain_phase.rb +3 -7
- data/lib/stix2/languages.rb +236 -0
- data/lib/stix2/meta_objects/data_markings/base.rb +1 -4
- data/lib/stix2/meta_objects/data_markings/granular_marking.rb +2 -6
- data/lib/stix2/meta_objects/data_markings/marking_definition.rb +2 -2
- data/lib/stix2/meta_objects/data_markings/object_marking.rb +3 -13
- data/lib/stix2/meta_objects/language_content.rb +1 -1
- data/lib/stix2/ov.rb +266 -255
- data/lib/stix2/relationship_objects/relationship.rb +155 -2
- data/lib/stix2/relationship_objects/sighting.rb +3 -3
- data/lib/stix2/storage.rb +21 -15
- data/lib/stix2/version.rb +1 -1
- data/lib/stix2.rb +100 -72
- data/ruby-stix2.gemspec +25 -21
- metadata +73 -11
- data/lib/stix2/boolean.rb +0 -18
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
module Stix2
|
|
2
|
+
module CyberobservableObject
|
|
3
|
+
class Process < Base
|
|
4
|
+
property :is_hidden, coerce: ->(value) { Stix2.to_bool(value) }
|
|
5
|
+
property :pid, coerce: Integer
|
|
6
|
+
property :created_time, coerce: Time
|
|
7
|
+
property :cwd, coerce: String
|
|
8
|
+
property :command_line, coerce: String
|
|
9
|
+
property :environment_variables, coerce: Hash
|
|
10
|
+
property :opened_connection_refs, coerce: [Identifier]
|
|
11
|
+
property :creator_user_ref, coerce: Identifier
|
|
12
|
+
property :image_ref, coerce: Identifier
|
|
13
|
+
property :parent_ref, coerce: Identifier
|
|
14
|
+
property :child_refs, coerce: [Identifier]
|
|
15
|
+
end
|
|
16
|
+
end
|
|
17
|
+
end
|
|
@@ -4,7 +4,7 @@ module Stix2
|
|
|
4
4
|
property :name, required: true, coerce: String
|
|
5
5
|
property :cpe, coerce: String
|
|
6
6
|
property :swid, coerce: String
|
|
7
|
-
property :languages, coerce:
|
|
7
|
+
property :languages, coerce: [String]
|
|
8
8
|
property :vendor, coerce: String
|
|
9
9
|
property :version, coerce: String
|
|
10
10
|
end
|
|
@@ -6,10 +6,10 @@ module Stix2
|
|
|
6
6
|
property :account_login, coerce: String
|
|
7
7
|
property :account_type, values: ACCOUNT_TYPE_OV
|
|
8
8
|
property :display_name, coerce: String
|
|
9
|
-
property :is_service_account, coerce: Stix2
|
|
10
|
-
property :is_privileged, coerce: Stix2
|
|
11
|
-
property :can_escalate_privs, coerce: Stix2
|
|
12
|
-
property :is_disabled, coerce: Stix2
|
|
9
|
+
property :is_service_account, coerce: ->(value) { Stix2.to_bool(value) }
|
|
10
|
+
property :is_privileged, coerce: ->(value) { Stix2.to_bool(value) }
|
|
11
|
+
property :can_escalate_privs, coerce: ->(value) { Stix2.to_bool(value) }
|
|
12
|
+
property :is_disabled, coerce: ->(value) { Stix2.to_bool(value) }
|
|
13
13
|
property :account_created, coerce: Time
|
|
14
14
|
property :account_expires, coerce: Time
|
|
15
15
|
property :credential_last_changed, coerce: Time
|
|
@@ -1,8 +1,10 @@
|
|
|
1
|
+
require "stix2/cyberobservable_objects/x509_v3_extension_type"
|
|
2
|
+
|
|
1
3
|
module Stix2
|
|
2
4
|
module CyberobservableObject
|
|
3
5
|
class X509Certificate < Base
|
|
4
|
-
property :is_self_signed, coerce: ->(v){
|
|
5
|
-
property :hashes, coerce: ->(hsh){ hash_dict(hsh) }
|
|
6
|
+
property :is_self_signed, coerce: ->(v) { Stix2.to_bool(v) }
|
|
7
|
+
property :hashes, coerce: ->(hsh) { hash_dict(hsh) }
|
|
6
8
|
property :version, coerce: String
|
|
7
9
|
property :serial_number, coerce: String
|
|
8
10
|
property :signature_algorithm, coerce: String
|
|
@@ -2,11 +2,11 @@ module Stix2
|
|
|
2
2
|
module DomainObject
|
|
3
3
|
class AttackPattern < Base
|
|
4
4
|
property :type, required: true, coerce: String
|
|
5
|
-
property :external_references, coerce:
|
|
5
|
+
property :external_references, coerce: [Stix2::ExternalReference]
|
|
6
6
|
property :name, coerce: String
|
|
7
7
|
property :description, coerce: String
|
|
8
|
-
property :aliases, coerce:
|
|
9
|
-
property :kill_chain_phases, coerce:
|
|
8
|
+
property :aliases, coerce: [String]
|
|
9
|
+
property :kill_chain_phases, coerce: [Stix2::KillChainPhase]
|
|
10
10
|
end
|
|
11
11
|
end
|
|
12
12
|
end
|
|
@@ -3,7 +3,7 @@ module Stix2
|
|
|
3
3
|
class Campaign < Base
|
|
4
4
|
property :name, coerce: String
|
|
5
5
|
property :description, coerce: String
|
|
6
|
-
property :aliases, coerce:
|
|
6
|
+
property :aliases, coerce: [String]
|
|
7
7
|
property :first_seen, coerce: Time
|
|
8
8
|
property :last_seen, coerce: Time
|
|
9
9
|
property :objective, coerce: String
|
|
@@ -3,7 +3,7 @@ module Stix2
|
|
|
3
3
|
class Identity < Base
|
|
4
4
|
property :name, required: true, coerce: String
|
|
5
5
|
property :description, coerce: String
|
|
6
|
-
property :roles, coerce:
|
|
6
|
+
property :roles, coerce: [String]
|
|
7
7
|
property :identity_class, coerce: String, values: IDENTITY_CLASS_OV
|
|
8
8
|
property :sectors, coerce: String, values: INDUSTRY_SECTOR_OV
|
|
9
9
|
property :contact_information, coerce: String
|
|
@@ -3,13 +3,13 @@ module Stix2
|
|
|
3
3
|
class Indicator < Base
|
|
4
4
|
property :name, coerce: String
|
|
5
5
|
property :description, coerce: String
|
|
6
|
-
property :indicator_types, coerce: ->(v){ validate_array(v, Stix2::INDICATOR_TYPE_OV) }
|
|
6
|
+
property :indicator_types, coerce: ->(v) { validate_array(v, Stix2::INDICATOR_TYPE_OV) }
|
|
7
7
|
property :pattern, coerce: String
|
|
8
8
|
property :pattern_type, coerce: String, values: PATTERN_TYPE_OV
|
|
9
9
|
property :pattern_version, coerce: String
|
|
10
10
|
property :valid_from, coerce: Time
|
|
11
11
|
property :valid_until, coerce: Time
|
|
12
|
-
property :kill_chain_phases, coerce:
|
|
12
|
+
property :kill_chain_phases, coerce: [KillChainPhase]
|
|
13
13
|
end
|
|
14
14
|
end
|
|
15
15
|
end
|
|
@@ -3,9 +3,9 @@ module Stix2
|
|
|
3
3
|
class Infrastructure < Base
|
|
4
4
|
property :name, required: true, coerce: String
|
|
5
5
|
property :description, coerce: String
|
|
6
|
-
property :infrastructure_types, coerce: ->(v){ validate_array(v, Stix2::INFRASTRUCTURE_TYPE_OV) }
|
|
7
|
-
property :aliases, coerce:
|
|
8
|
-
property :kill_chain_phases, coerce:
|
|
6
|
+
property :infrastructure_types, coerce: ->(v) { validate_array(v, Stix2::INFRASTRUCTURE_TYPE_OV) }
|
|
7
|
+
property :aliases, coerce: [String]
|
|
8
|
+
property :kill_chain_phases, coerce: [KillChainPhase]
|
|
9
9
|
property :first_seen, coerce: Time
|
|
10
10
|
property :last_seen, coerce: Time
|
|
11
11
|
end
|
|
@@ -3,13 +3,13 @@ module Stix2
|
|
|
3
3
|
class IntrusionSet < Base
|
|
4
4
|
property :name, required: true, coerce: String
|
|
5
5
|
property :description, coerce: String
|
|
6
|
-
property :aliases, coerce:
|
|
6
|
+
property :aliases, coerce: [String]
|
|
7
7
|
property :first_seen, coerce: Time
|
|
8
8
|
property :last_seen, coerce: Time
|
|
9
|
-
property :goals, coerce:
|
|
9
|
+
property :goals, coerce: [String]
|
|
10
10
|
property :resource_level, values: ATTACK_RESOURCE_LEVEL_OV
|
|
11
11
|
property :primary_motivation, values: ATTACK_MOTIVATION_OV
|
|
12
|
-
property :secondary_motivations, coerce: ->(v){ validate_array(v, Stix2::ATTACK_MOTIVATION_OV) }
|
|
12
|
+
property :secondary_motivations, coerce: ->(v) { validate_array(v, Stix2::ATTACK_MOTIVATION_OV) }
|
|
13
13
|
end
|
|
14
14
|
end
|
|
15
15
|
end
|
|
@@ -3,17 +3,17 @@ module Stix2
|
|
|
3
3
|
class Malware < Base
|
|
4
4
|
property :name, coerce: String
|
|
5
5
|
property :description, coerce: String
|
|
6
|
-
property :malware_types, coerce: ->(v){ validate_array(v, Stix2::MALWARE_TYPE_OV) }
|
|
7
|
-
property :is_family, coerce: ->(v){
|
|
8
|
-
property :aliases, coerce:
|
|
9
|
-
property :kill_chain_phases, coerce:
|
|
6
|
+
property :malware_types, coerce: ->(v) { validate_array(v, Stix2::MALWARE_TYPE_OV) }
|
|
7
|
+
property :is_family, coerce: ->(v) { Stix2.to_bool(v) }
|
|
8
|
+
property :aliases, coerce: [String]
|
|
9
|
+
property :kill_chain_phases, coerce: [KillChainPhase]
|
|
10
10
|
property :first_seen, coerce: Time
|
|
11
11
|
property :last_seen, coerce: Time
|
|
12
|
-
property :operating_system_refs, coerce:
|
|
13
|
-
property :architecture_execution_envs, coerce: ->(v){ validate_array(v, Stix2::PROCESSOR_ARCHITECTURE_OV) }
|
|
14
|
-
property :implementation_languages, coerce: ->(v){ validate_array(v, Stix2::IMPLEMENTATION_LANGUAGE_OV) }
|
|
15
|
-
property :capabilities, coerce: ->(v){ validate_array(v, Stix2::IMPLEMENTATION_CAPABILITIES_OV) }
|
|
16
|
-
property :sample_refs, coerce:
|
|
12
|
+
property :operating_system_refs, coerce: [Identifier]
|
|
13
|
+
property :architecture_execution_envs, coerce: ->(v) { validate_array(v, Stix2::PROCESSOR_ARCHITECTURE_OV) }
|
|
14
|
+
property :implementation_languages, coerce: ->(v) { validate_array(v, Stix2::IMPLEMENTATION_LANGUAGE_OV) }
|
|
15
|
+
property :capabilities, coerce: ->(v) { validate_array(v, Stix2::IMPLEMENTATION_CAPABILITIES_OV) }
|
|
16
|
+
property :sample_refs, coerce: [Identifier]
|
|
17
17
|
end
|
|
18
18
|
end
|
|
19
19
|
end
|
|
@@ -5,9 +5,9 @@ module Stix2
|
|
|
5
5
|
property :version, coerce: String
|
|
6
6
|
property :host_vm_ref, coerce: Identifier
|
|
7
7
|
property :operating_system_ref, coerce: Identifier
|
|
8
|
-
property :installed_software_refs, coerce:
|
|
8
|
+
property :installed_software_refs, coerce: [Identifier]
|
|
9
9
|
property :configuration_version, coerce: String
|
|
10
|
-
property :modules, coerce:
|
|
10
|
+
property :modules, coerce: [String]
|
|
11
11
|
property :analysis_engine_version, coerce: String
|
|
12
12
|
property :analysis_definition_version, coerce: String
|
|
13
13
|
property :submitted, coerce: Time
|
|
@@ -15,7 +15,7 @@ module Stix2
|
|
|
15
15
|
property :analysis_ended, coerce: Time
|
|
16
16
|
property :result_name, coerce: String
|
|
17
17
|
property :result, values: MALWARE_RESULT_OV
|
|
18
|
-
property :analysis_sco_refs, coerce:
|
|
18
|
+
property :analysis_sco_refs, coerce: [Identifier]
|
|
19
19
|
property :sample_ref, coerce: Identifier
|
|
20
20
|
end
|
|
21
21
|
end
|
|
@@ -3,8 +3,8 @@ module Stix2
|
|
|
3
3
|
class Note < Base
|
|
4
4
|
property :abstract, coerce: String
|
|
5
5
|
property :content, coerce: String
|
|
6
|
-
property :authors, coerce:
|
|
7
|
-
property :object_refs, coerce:
|
|
6
|
+
property :authors, coerce: [String]
|
|
7
|
+
property :object_refs, coerce: [Identifier]
|
|
8
8
|
end
|
|
9
9
|
end
|
|
10
10
|
end
|
|
@@ -5,7 +5,7 @@ module Stix2
|
|
|
5
5
|
property :last_observed, required: true, coerce: Time
|
|
6
6
|
property :number_observed, required: true, coerce: Integer
|
|
7
7
|
property :objects, coerce: Hash
|
|
8
|
-
property :object_refs, coerce:
|
|
8
|
+
property :object_refs, coerce: [Identifier]
|
|
9
9
|
end
|
|
10
10
|
end
|
|
11
11
|
end
|
|
@@ -2,9 +2,9 @@ module Stix2
|
|
|
2
2
|
module DomainObject
|
|
3
3
|
class Opinion < Base
|
|
4
4
|
property :explanation, coerce: String
|
|
5
|
-
property :authors, coerce:
|
|
5
|
+
property :authors, coerce: [String]
|
|
6
6
|
property :opinion, values: OPINION_ENUM
|
|
7
|
-
property :object_refs, coerce:
|
|
7
|
+
property :object_refs, coerce: [Identifier]
|
|
8
8
|
end
|
|
9
9
|
end
|
|
10
10
|
end
|
|
@@ -3,9 +3,9 @@ module Stix2
|
|
|
3
3
|
class Report < Base
|
|
4
4
|
property :name, required: true, coerce: String
|
|
5
5
|
property :description, coerce: String
|
|
6
|
-
property :report_types, coerce: ->(v){ validate_array(v, Stix2::REPORT_TYPE_OV) }
|
|
6
|
+
property :report_types, coerce: ->(v) { validate_array(v, Stix2::REPORT_TYPE_OV) }
|
|
7
7
|
property :published, coerce: Time
|
|
8
|
-
property :object_refs, coerce:
|
|
8
|
+
property :object_refs, coerce: [Identifier]
|
|
9
9
|
end
|
|
10
10
|
end
|
|
11
11
|
end
|
|
@@ -3,17 +3,17 @@ module Stix2
|
|
|
3
3
|
class ThreatActor < Base
|
|
4
4
|
property :name, required: true, coerce: String
|
|
5
5
|
property :description, coerce: String
|
|
6
|
-
property :threat_actor_types, coerce: ->(v){ validate_array(v, THREAT_ACTOR_TYPE_OV) }
|
|
7
|
-
property :aliases, coerce:
|
|
6
|
+
property :threat_actor_types, coerce: ->(v) { validate_array(v, THREAT_ACTOR_TYPE_OV) }
|
|
7
|
+
property :aliases, coerce: [String]
|
|
8
8
|
property :first_seen, coerce: Time
|
|
9
9
|
property :last_seen, coerce: Time
|
|
10
|
-
property :roles, coerce: ->(v){ validate_array(v, THREAT_ACTOR_ROLE_OV) }
|
|
11
|
-
property :goals, coerce:
|
|
10
|
+
property :roles, coerce: ->(v) { validate_array(v, THREAT_ACTOR_ROLE_OV) }
|
|
11
|
+
property :goals, coerce: [String]
|
|
12
12
|
property :sophistication, values: THREAT_ACTOR_SOPHISTICATION_OV
|
|
13
13
|
property :resource_level, values: ATTACK_RESOURCE_LEVEL_OV
|
|
14
14
|
property :primary_motivation, values: ATTACK_MOTIVATION_OV
|
|
15
|
-
property :secondary_motivations, coerce: ->(v){ validate_array(v, ATTACK_MOTIVATION_OV) }
|
|
16
|
-
property :personal_motivations, coerce: ->(v){ validate_array(v, ATTACK_MOTIVATION_OV) }
|
|
15
|
+
property :secondary_motivations, coerce: ->(v) { validate_array(v, ATTACK_MOTIVATION_OV) }
|
|
16
|
+
property :personal_motivations, coerce: ->(v) { validate_array(v, ATTACK_MOTIVATION_OV) }
|
|
17
17
|
end
|
|
18
18
|
end
|
|
19
19
|
end
|
|
@@ -3,9 +3,9 @@ module Stix2
|
|
|
3
3
|
class Tool < Base
|
|
4
4
|
property :name, required: true, coerce: String
|
|
5
5
|
property :description, coerce: String
|
|
6
|
-
property :tool_types, coerce: ->(v){ validate_array(v, TOOL_TYPES_OV) }
|
|
7
|
-
property :aliases, coerce:
|
|
8
|
-
property :kill_chain_phases, coerce:
|
|
6
|
+
property :tool_types, coerce: ->(v) { validate_array(v, TOOL_TYPES_OV) }
|
|
7
|
+
property :aliases, coerce: [String]
|
|
8
|
+
property :kill_chain_phases, coerce: [KillChainPhase]
|
|
9
9
|
property :tool_version, coerce: String
|
|
10
10
|
end
|
|
11
11
|
end
|
data/lib/stix2/enum.rb
CHANGED
|
@@ -1,32 +1,91 @@
|
|
|
1
1
|
module Stix2
|
|
2
2
|
OPINION_ENUM = [
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
3
|
+
"strongly-disagree",
|
|
4
|
+
"disagree",
|
|
5
|
+
"neutral",
|
|
6
|
+
"agree",
|
|
7
|
+
"strongly-agree"
|
|
8
8
|
].freeze
|
|
9
9
|
|
|
10
10
|
ENCRYPTION_ALGORITHM_ENUM = [
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
11
|
+
"AES-256-GCM",
|
|
12
|
+
"ChaCha20-Poly1305",
|
|
13
|
+
"mime-type-indicated"
|
|
14
14
|
].freeze
|
|
15
15
|
|
|
16
16
|
WINDOWS_REGISTRY_DATATYPE_ENUM = [
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
17
|
+
"REG_NONE",
|
|
18
|
+
"REG_SZ",
|
|
19
|
+
"REG_EXPAND_SZ",
|
|
20
|
+
"REG_BINARY",
|
|
21
|
+
"REG_DWORD",
|
|
22
|
+
"REG_DWORD_BIG_ENDIAN",
|
|
23
|
+
"REG_DWORD_LITTLE_ENDIAN",
|
|
24
|
+
"REG_LINK",
|
|
25
|
+
"REG_MULTI_SZ",
|
|
26
|
+
"REG_RESOURCE_LIST",
|
|
27
|
+
"REG_FULL_RESOURCE_DESCRIPTION",
|
|
28
|
+
"REG_RESOURCE_REQUIREMENTS_LIST",
|
|
29
|
+
"REG_QWORD",
|
|
30
|
+
"REG_INVALID_TYPE"
|
|
31
|
+
].freeze
|
|
32
|
+
|
|
33
|
+
EXTENSION_TYPE_ENUM = [
|
|
34
|
+
"new-sdo",
|
|
35
|
+
"new-sco",
|
|
36
|
+
"new-sro",
|
|
37
|
+
"property-extension",
|
|
38
|
+
"toplevel-property-extension"
|
|
39
|
+
].freeze
|
|
40
|
+
|
|
41
|
+
NETWORK_SOCKET_ADDRESS_FAMILY_ENUM = [
|
|
42
|
+
"AF_UNSPEC",
|
|
43
|
+
"AF_INET",
|
|
44
|
+
"AF_IPX",
|
|
45
|
+
"AF_APPLETALK",
|
|
46
|
+
"AF_NETBIOS",
|
|
47
|
+
"AF_INET6",
|
|
48
|
+
"AF_IRDA",
|
|
49
|
+
"AF_BTH"
|
|
50
|
+
].freeze
|
|
51
|
+
|
|
52
|
+
NETWORK_SOCKET_TYPE_ENUM = [
|
|
53
|
+
"SOCK_STREAM",
|
|
54
|
+
"AF_ISOCK_DGRAMNET",
|
|
55
|
+
"SOCK_RAW",
|
|
56
|
+
"SOCK_RDM",
|
|
57
|
+
"SOCK_SEQPACKET"
|
|
58
|
+
].freeze
|
|
59
|
+
|
|
60
|
+
WINDOWS_INTEGRITY_LEVEL_ENUM = [
|
|
61
|
+
"low",
|
|
62
|
+
"medium",
|
|
63
|
+
"high",
|
|
64
|
+
"system"
|
|
65
|
+
].freeze
|
|
66
|
+
|
|
67
|
+
WINDOWS_SERVICE_START_TYPE_ENUM = [
|
|
68
|
+
"SERVICE_AUTO_START",
|
|
69
|
+
"SERVICE_BOOT_START",
|
|
70
|
+
"SERVICE_DEMAND_START",
|
|
71
|
+
"SERVICE_DISABLED",
|
|
72
|
+
"SERVICE_SYSTEM_ALERT"
|
|
73
|
+
].freeze
|
|
74
|
+
|
|
75
|
+
WINDOWS_SERVICE_TYPE_ENUM = [
|
|
76
|
+
"SERVICE_KERNEL_DRIVER",
|
|
77
|
+
"SERVICE_FILE_SYSTEM_DRIVER",
|
|
78
|
+
"SERVICE_WIN32_OWN_PROCESS",
|
|
79
|
+
"SERVICE_WIN32_SHARE_PROCESS"
|
|
80
|
+
].freeze
|
|
81
|
+
|
|
82
|
+
WINDOWS_SERVICE_STATUS_ENUM = [
|
|
83
|
+
"SERVICE_CONTINUE_PENDING",
|
|
84
|
+
"SERVICE_PAUSE_PENDING",
|
|
85
|
+
"SERVICE_PAUSED",
|
|
86
|
+
"SERVICE_RUNNING",
|
|
87
|
+
"SERVICE_START_PENDING",
|
|
88
|
+
"SERVICE_STOP_PENDING",
|
|
89
|
+
"SERVICE_STOPPED"
|
|
31
90
|
].freeze
|
|
32
91
|
end
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
module Stix2
|
|
2
|
+
class ExtensionDefinition < Stix2::Common
|
|
3
|
+
property :name, required: true, coerce: String
|
|
4
|
+
property :description, coerce: String
|
|
5
|
+
property :schema, required: true, coerce: String
|
|
6
|
+
property :version, required: true, coerce: String
|
|
7
|
+
property :extension_types, required: true, coerce: ->(values) { validate_array(values, EXTENSION_TYPE_ENUM) }
|
|
8
|
+
property :extension_properties, coerce: [String]
|
|
9
|
+
end
|
|
10
|
+
end
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
module Stix2
|
|
2
|
+
module Extensions
|
|
3
|
+
class HttpRequest < Stix2::Base
|
|
4
|
+
property :request_method, required: true, coerce: String
|
|
5
|
+
property :request_value, required: true, coerce: String
|
|
6
|
+
property :request_version, coerce: String
|
|
7
|
+
property :request_header, coerce: Hash
|
|
8
|
+
property :message_body_length, coerce: Integer
|
|
9
|
+
property :message_body_data_ref, coerce: Identifier
|
|
10
|
+
end
|
|
11
|
+
end
|
|
12
|
+
end
|
|
@@ -0,0 +1,8 @@
|
|
|
1
|
+
module Stix2
|
|
2
|
+
module Extensions
|
|
3
|
+
class Icmp < Stix2::Base
|
|
4
|
+
property :icmp_type_hex, required: true, coerce: ->(value) { Stix2.is_hex?(value) && value }
|
|
5
|
+
property :icmp_code_hex, required: true, coerce: ->(value) { Stix2.is_hex?(value) && value }
|
|
6
|
+
end
|
|
7
|
+
end
|
|
8
|
+
end
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
module Stix2
|
|
2
|
+
module Extensions
|
|
3
|
+
class Pdf < Stix2::Base
|
|
4
|
+
property :version, coerce: String
|
|
5
|
+
property :is_optimized, coerce: ->(value) { Stix2.to_bool(value) }
|
|
6
|
+
property :document_info_dict, {String => String}
|
|
7
|
+
property :pdfid0, coerce: String
|
|
8
|
+
property :pdfid1, coerce: String
|
|
9
|
+
end
|
|
10
|
+
end
|
|
11
|
+
end
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
module Stix2
|
|
2
|
+
module Extensions
|
|
3
|
+
class Socket < Stix2::Base
|
|
4
|
+
property :address_family, required: true, values: NETWORK_SOCKET_ADDRESS_FAMILY_ENUM
|
|
5
|
+
property :is_blocking, coerce: ->(value) { Stix2.to_bool(value) }
|
|
6
|
+
property :is_listening, coerce: ->(value) { Stix2.to_bool(value) }
|
|
7
|
+
property :options, coerce: ->(hsh) { hsh.keys.all? { |k| k.is_a?(Integer) } && hsh }
|
|
8
|
+
property :socket_type, values: NETWORK_SOCKET_TYPE_ENUM
|
|
9
|
+
property :socket_descriptor, coerce: Integer
|
|
10
|
+
property :socket_handle, coerce: Integer
|
|
11
|
+
end
|
|
12
|
+
end
|
|
13
|
+
end
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
module Stix2
|
|
2
|
+
module Extensions
|
|
3
|
+
class WindowsPeOptionalHeaderType < Stix2::Base
|
|
4
|
+
property :magic_hex, coerce: ->(value) { Stix2.is_hex?(value) && value }
|
|
5
|
+
property :major_linker_version, coerce: Integer
|
|
6
|
+
property :minor_linker_version, coerce: Integer
|
|
7
|
+
property :size_of_code, coerce: Integer
|
|
8
|
+
property :size_of_initialized_data, coerce: Integer
|
|
9
|
+
property :size_of_uninitialized_data, coerce: Integer
|
|
10
|
+
property :address_of_entry_point, coerce: Integer
|
|
11
|
+
property :base_of_code, coerce: Integer
|
|
12
|
+
property :base_of_data, coerce: Integer
|
|
13
|
+
property :image_base, coerce: Integer
|
|
14
|
+
property :section_alignment, coerce: Integer
|
|
15
|
+
property :file_alignment, coerce: Integer
|
|
16
|
+
property :major_os_version, coerce: Integer
|
|
17
|
+
property :minor_os_version, coerce: Integer
|
|
18
|
+
property :major_image_version, coerce: Integer
|
|
19
|
+
property :minor_image_version, coerce: Integer
|
|
20
|
+
property :major_subsystem_version, coerce: Integer
|
|
21
|
+
property :minor_subsystem_version, coerce: Integer
|
|
22
|
+
property :win32_version_value_hex, coerce: ->(value) { Stix2.is_hex?(value) && value }
|
|
23
|
+
property :size_of_image, coerce: Integer
|
|
24
|
+
property :size_of_headers, coerce: Integer
|
|
25
|
+
property :checksum_hex, coerce: ->(value) { Stix2.is_hex?(value) && value }
|
|
26
|
+
property :subsystem_hex, coerce: ->(value) { Stix2.is_hex?(value) && value }
|
|
27
|
+
property :dll_characteristics_hex, coerce: ->(value) { Stix2.is_hex?(value) && value }
|
|
28
|
+
property :size_of_stack_reserve, coerce: Integer
|
|
29
|
+
property :size_of_stack_commit, coerce: Integer
|
|
30
|
+
property :size_of_heap_reserve, coerce: Integer
|
|
31
|
+
property :size_of_heap_commit, coerce: Integer
|
|
32
|
+
property :loader_flags_hex, coerce: ->(value) { Stix2.is_hex?(value) && value }
|
|
33
|
+
property :number_of_rva_and_sizes, coerce: Integer
|
|
34
|
+
property :hashes, coerce: ->(hsh) { hash_dict(hsh) }
|
|
35
|
+
end
|
|
36
|
+
end
|
|
37
|
+
end
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
module Stix2
|
|
2
|
+
module Extensions
|
|
3
|
+
class WindowsPeSectionType < Stix2::Base
|
|
4
|
+
property :name, required: true, coerce: String
|
|
5
|
+
property :size, coerce: Integer
|
|
6
|
+
property :entropy, coerce: Float
|
|
7
|
+
property :hashes, coerce: ->(hsh) { hash_dict(hsh) }
|
|
8
|
+
end
|
|
9
|
+
end
|
|
10
|
+
end
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
require "stix2/extensions/windows_pe_optional_header_type"
|
|
2
|
+
require "stix2/extensions/windows_pe_section_type"
|
|
3
|
+
|
|
4
|
+
module Stix2
|
|
5
|
+
module Extensions
|
|
6
|
+
class WindowsPebinary < Stix2::Base
|
|
7
|
+
property :pe_type, required: true, values: WINDOWS_PEBINARY_TYPE_OV
|
|
8
|
+
property :imphash, coerce: String
|
|
9
|
+
property :machine_hex, coerce: ->(value) { Stix2.is_hex?(value) && value }
|
|
10
|
+
property :number_of_sections, coerce: Integer
|
|
11
|
+
property :time_date_stamp, coerce: Time
|
|
12
|
+
property :pointer_to_symbol_table_hex, coerce: ->(value) { Stix2.is_hex?(value) && value }
|
|
13
|
+
property :number_of_symbols, coerce: Integer
|
|
14
|
+
property :size_of_optional_header, coerce: Integer
|
|
15
|
+
property :characteristics_hex, coerce: ->(value) { Stix2.is_hex?(value) && value }
|
|
16
|
+
property :file_header_hashes, coerce: ->(hsh) { hash_dict(hsh) }
|
|
17
|
+
property :optional_header, coerce: WindowsPeOptionalHeaderType
|
|
18
|
+
property :sections, coerce: [WindowsPeSectionType]
|
|
19
|
+
end
|
|
20
|
+
end
|
|
21
|
+
end
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
module Stix2
|
|
2
|
+
module Extensions
|
|
3
|
+
class WindowsProcess < Stix2::Base
|
|
4
|
+
property :aslr_enabled, coerce: ->(value) { Stix2.to_bool(value) }
|
|
5
|
+
property :dep_enabled, coerce: ->(value) { Stix2.to_bool(value) }
|
|
6
|
+
property :priority, coerce: String
|
|
7
|
+
property :owner_sid, coerce: String
|
|
8
|
+
property :window_title, coerce: String
|
|
9
|
+
property :startup_info, coerce: Hash
|
|
10
|
+
property :integrity_level, values: WINDOWS_INTEGRITY_LEVEL_ENUM
|
|
11
|
+
end
|
|
12
|
+
end
|
|
13
|
+
end
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
module Stix2
|
|
2
|
+
module Extensions
|
|
3
|
+
class WindowsService < Stix2::Base
|
|
4
|
+
property :service_name, coerce: String
|
|
5
|
+
property :description, coerce: [String]
|
|
6
|
+
property :display_name, coerce: String
|
|
7
|
+
property :group_name, coerce: String
|
|
8
|
+
property :start_type, values: WINDOWS_SERVICE_START_TYPE_ENUM
|
|
9
|
+
property :service_dll_refs, coerce: [Identifier]
|
|
10
|
+
property :service_type, values: WINDOWS_SERVICE_TYPE_ENUM
|
|
11
|
+
property :service_status, values: WINDOWS_SERVICE_STATUS_ENUM
|
|
12
|
+
end
|
|
13
|
+
end
|
|
14
|
+
end
|