ruby-stix2 0.1.0 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (72) hide show
  1. checksums.yaml +4 -4
  2. data/.github/workflows/build.yml +4 -3
  3. data/Gemfile +1 -1
  4. data/Gemfile.lock +54 -1
  5. data/README.md +49 -3
  6. data/lib/stix2/base.rb +7 -0
  7. data/lib/stix2/bundle.rb +1 -2
  8. data/lib/stix2/common.rb +104 -22
  9. data/lib/stix2/confidence_scale.rb +106 -0
  10. data/lib/stix2/custom_object.rb +20 -0
  11. data/lib/stix2/cyberobservable_objects/artifact.rb +1 -1
  12. data/lib/stix2/cyberobservable_objects/directory.rb +1 -1
  13. data/lib/stix2/cyberobservable_objects/domain_name.rb +1 -1
  14. data/lib/stix2/cyberobservable_objects/email_message.rb +7 -7
  15. data/lib/stix2/cyberobservable_objects/file.rb +2 -2
  16. data/lib/stix2/cyberobservable_objects/ipv4_addr.rb +4 -4
  17. data/lib/stix2/cyberobservable_objects/ipv6_addr.rb +4 -4
  18. data/lib/stix2/cyberobservable_objects/network_traffic.rb +3 -3
  19. data/lib/stix2/cyberobservable_objects/process.rb +17 -0
  20. data/lib/stix2/cyberobservable_objects/software.rb +1 -1
  21. data/lib/stix2/cyberobservable_objects/user_account.rb +4 -4
  22. data/lib/stix2/cyberobservable_objects/x509_certificate.rb +4 -2
  23. data/lib/stix2/domain_objects/attack_pattern.rb +3 -3
  24. data/lib/stix2/domain_objects/campaign.rb +1 -1
  25. data/lib/stix2/domain_objects/grouping.rb +1 -1
  26. data/lib/stix2/domain_objects/identity.rb +1 -1
  27. data/lib/stix2/domain_objects/indicator.rb +2 -2
  28. data/lib/stix2/domain_objects/infrastructure.rb +3 -3
  29. data/lib/stix2/domain_objects/intrusion-set.rb +3 -3
  30. data/lib/stix2/domain_objects/malware.rb +9 -9
  31. data/lib/stix2/domain_objects/malware_analysis.rb +3 -3
  32. data/lib/stix2/domain_objects/note.rb +2 -2
  33. data/lib/stix2/domain_objects/observed_data.rb +1 -1
  34. data/lib/stix2/domain_objects/opinion.rb +2 -2
  35. data/lib/stix2/domain_objects/report.rb +2 -2
  36. data/lib/stix2/domain_objects/threat_actor.rb +6 -6
  37. data/lib/stix2/domain_objects/tool.rb +3 -3
  38. data/lib/stix2/enum.rb +81 -22
  39. data/lib/stix2/extension_definition.rb +10 -0
  40. data/lib/stix2/extensions/alternate_data_stream_type.rb +9 -0
  41. data/lib/stix2/extensions/archive_file.rb +8 -0
  42. data/lib/stix2/extensions/http_request.rb +12 -0
  43. data/lib/stix2/extensions/icmp.rb +8 -0
  44. data/lib/stix2/extensions/ntfs.rb +10 -0
  45. data/lib/stix2/extensions/pdf.rb +11 -0
  46. data/lib/stix2/extensions/raster_image.rb +10 -0
  47. data/lib/stix2/extensions/socket.rb +13 -0
  48. data/lib/stix2/extensions/tcp.rb +8 -0
  49. data/lib/stix2/extensions/unix_account.rb +10 -0
  50. data/lib/stix2/extensions/windows_pe_optional_header_type.rb +37 -0
  51. data/lib/stix2/extensions/windows_pe_section_type.rb +10 -0
  52. data/lib/stix2/extensions/windows_pebinary.rb +21 -0
  53. data/lib/stix2/extensions/windows_process.rb +13 -0
  54. data/lib/stix2/extensions/windows_service.rb +14 -0
  55. data/lib/stix2/external_reference.rb +2 -6
  56. data/lib/stix2/identifier.rb +2 -12
  57. data/lib/stix2/kill_chain_phase.rb +3 -7
  58. data/lib/stix2/languages.rb +236 -0
  59. data/lib/stix2/meta_objects/data_markings/base.rb +1 -4
  60. data/lib/stix2/meta_objects/data_markings/granular_marking.rb +2 -6
  61. data/lib/stix2/meta_objects/data_markings/marking_definition.rb +2 -2
  62. data/lib/stix2/meta_objects/data_markings/object_marking.rb +3 -13
  63. data/lib/stix2/meta_objects/language_content.rb +1 -1
  64. data/lib/stix2/ov.rb +266 -255
  65. data/lib/stix2/relationship_objects/relationship.rb +155 -2
  66. data/lib/stix2/relationship_objects/sighting.rb +3 -3
  67. data/lib/stix2/storage.rb +21 -15
  68. data/lib/stix2/version.rb +1 -1
  69. data/lib/stix2.rb +100 -72
  70. data/ruby-stix2.gemspec +25 -21
  71. metadata +73 -11
  72. data/lib/stix2/boolean.rb +0 -18
@@ -0,0 +1,17 @@
1
+ module Stix2
2
+ module CyberobservableObject
3
+ class Process < Base
4
+ property :is_hidden, coerce: ->(value) { Stix2.to_bool(value) }
5
+ property :pid, coerce: Integer
6
+ property :created_time, coerce: Time
7
+ property :cwd, coerce: String
8
+ property :command_line, coerce: String
9
+ property :environment_variables, coerce: Hash
10
+ property :opened_connection_refs, coerce: [Identifier]
11
+ property :creator_user_ref, coerce: Identifier
12
+ property :image_ref, coerce: Identifier
13
+ property :parent_ref, coerce: Identifier
14
+ property :child_refs, coerce: [Identifier]
15
+ end
16
+ end
17
+ end
@@ -4,7 +4,7 @@ module Stix2
4
4
  property :name, required: true, coerce: String
5
5
  property :cpe, coerce: String
6
6
  property :swid, coerce: String
7
- property :languages, coerce: Array[String]
7
+ property :languages, coerce: [String]
8
8
  property :vendor, coerce: String
9
9
  property :version, coerce: String
10
10
  end
@@ -6,10 +6,10 @@ module Stix2
6
6
  property :account_login, coerce: String
7
7
  property :account_type, values: ACCOUNT_TYPE_OV
8
8
  property :display_name, coerce: String
9
- property :is_service_account, coerce: Stix2::Boolean
10
- property :is_privileged, coerce: Stix2::Boolean
11
- property :can_escalate_privs, coerce: Stix2::Boolean
12
- property :is_disabled, coerce: Stix2::Boolean
9
+ property :is_service_account, coerce: ->(value) { Stix2.to_bool(value) }
10
+ property :is_privileged, coerce: ->(value) { Stix2.to_bool(value) }
11
+ property :can_escalate_privs, coerce: ->(value) { Stix2.to_bool(value) }
12
+ property :is_disabled, coerce: ->(value) { Stix2.to_bool(value) }
13
13
  property :account_created, coerce: Time
14
14
  property :account_expires, coerce: Time
15
15
  property :credential_last_changed, coerce: Time
@@ -1,8 +1,10 @@
1
+ require "stix2/cyberobservable_objects/x509_v3_extension_type"
2
+
1
3
  module Stix2
2
4
  module CyberobservableObject
3
5
  class X509Certificate < Base
4
- property :is_self_signed, coerce: ->(v){ boolean(v) }
5
- property :hashes, coerce: ->(hsh){ hash_dict(hsh) }
6
+ property :is_self_signed, coerce: ->(v) { Stix2.to_bool(v) }
7
+ property :hashes, coerce: ->(hsh) { hash_dict(hsh) }
6
8
  property :version, coerce: String
7
9
  property :serial_number, coerce: String
8
10
  property :signature_algorithm, coerce: String
@@ -2,11 +2,11 @@ module Stix2
2
2
  module DomainObject
3
3
  class AttackPattern < Base
4
4
  property :type, required: true, coerce: String
5
- property :external_references, coerce: Array[Stix2::ExternalReference]
5
+ property :external_references, coerce: [Stix2::ExternalReference]
6
6
  property :name, coerce: String
7
7
  property :description, coerce: String
8
- property :aliases, coerce: Array[String]
9
- property :kill_chain_phases, coerce: Array[Stix2::KillChainPhase]
8
+ property :aliases, coerce: [String]
9
+ property :kill_chain_phases, coerce: [Stix2::KillChainPhase]
10
10
  end
11
11
  end
12
12
  end
@@ -3,7 +3,7 @@ module Stix2
3
3
  class Campaign < Base
4
4
  property :name, coerce: String
5
5
  property :description, coerce: String
6
- property :aliases, coerce: Array[String]
6
+ property :aliases, coerce: [String]
7
7
  property :first_seen, coerce: Time
8
8
  property :last_seen, coerce: Time
9
9
  property :objective, coerce: String
@@ -4,7 +4,7 @@ module Stix2
4
4
  property :name, coerce: String
5
5
  property :description, coerce: String
6
6
  property :context, values: Stix2::GROUPING_CONTEXT_OV
7
- property :object_refs, coerce: Array[Identifier]
7
+ property :object_refs, coerce: [Identifier]
8
8
  end
9
9
  end
10
10
  end
@@ -3,7 +3,7 @@ module Stix2
3
3
  class Identity < Base
4
4
  property :name, required: true, coerce: String
5
5
  property :description, coerce: String
6
- property :roles, coerce: Array[String]
6
+ property :roles, coerce: [String]
7
7
  property :identity_class, coerce: String, values: IDENTITY_CLASS_OV
8
8
  property :sectors, coerce: String, values: INDUSTRY_SECTOR_OV
9
9
  property :contact_information, coerce: String
@@ -3,13 +3,13 @@ module Stix2
3
3
  class Indicator < Base
4
4
  property :name, coerce: String
5
5
  property :description, coerce: String
6
- property :indicator_types, coerce: ->(v){ validate_array(v, Stix2::INDICATOR_TYPE_OV) }
6
+ property :indicator_types, coerce: ->(v) { validate_array(v, Stix2::INDICATOR_TYPE_OV) }
7
7
  property :pattern, coerce: String
8
8
  property :pattern_type, coerce: String, values: PATTERN_TYPE_OV
9
9
  property :pattern_version, coerce: String
10
10
  property :valid_from, coerce: Time
11
11
  property :valid_until, coerce: Time
12
- property :kill_chain_phases, coerce: Array[KillChainPhase]
12
+ property :kill_chain_phases, coerce: [KillChainPhase]
13
13
  end
14
14
  end
15
15
  end
@@ -3,9 +3,9 @@ module Stix2
3
3
  class Infrastructure < Base
4
4
  property :name, required: true, coerce: String
5
5
  property :description, coerce: String
6
- property :infrastructure_types, coerce: ->(v){ validate_array(v, Stix2::INFRASTRUCTURE_TYPE_OV) }
7
- property :aliases, coerce: Array[String]
8
- property :kill_chain_phases, coerce: Array[KillChainPhase]
6
+ property :infrastructure_types, coerce: ->(v) { validate_array(v, Stix2::INFRASTRUCTURE_TYPE_OV) }
7
+ property :aliases, coerce: [String]
8
+ property :kill_chain_phases, coerce: [KillChainPhase]
9
9
  property :first_seen, coerce: Time
10
10
  property :last_seen, coerce: Time
11
11
  end
@@ -3,13 +3,13 @@ module Stix2
3
3
  class IntrusionSet < Base
4
4
  property :name, required: true, coerce: String
5
5
  property :description, coerce: String
6
- property :aliases, coerce: Array[String]
6
+ property :aliases, coerce: [String]
7
7
  property :first_seen, coerce: Time
8
8
  property :last_seen, coerce: Time
9
- property :goals, coerce: Array[String]
9
+ property :goals, coerce: [String]
10
10
  property :resource_level, values: ATTACK_RESOURCE_LEVEL_OV
11
11
  property :primary_motivation, values: ATTACK_MOTIVATION_OV
12
- property :secondary_motivations, coerce: ->(v){ validate_array(v, Stix2::ATTACK_MOTIVATION_OV) }
12
+ property :secondary_motivations, coerce: ->(v) { validate_array(v, Stix2::ATTACK_MOTIVATION_OV) }
13
13
  end
14
14
  end
15
15
  end
@@ -3,17 +3,17 @@ module Stix2
3
3
  class Malware < Base
4
4
  property :name, coerce: String
5
5
  property :description, coerce: String
6
- property :malware_types, coerce: ->(v){ validate_array(v, Stix2::MALWARE_TYPE_OV) }
7
- property :is_family, coerce: ->(v){ is_boolean?(v) }
8
- property :aliases, coerce: Array[String]
9
- property :kill_chain_phases, coerce: Array[KillChainPhase]
6
+ property :malware_types, coerce: ->(v) { validate_array(v, Stix2::MALWARE_TYPE_OV) }
7
+ property :is_family, coerce: ->(v) { Stix2.to_bool(v) }
8
+ property :aliases, coerce: [String]
9
+ property :kill_chain_phases, coerce: [KillChainPhase]
10
10
  property :first_seen, coerce: Time
11
11
  property :last_seen, coerce: Time
12
- property :operating_system_refs, coerce: Array[Identifier]
13
- property :architecture_execution_envs, coerce: ->(v){ validate_array(v, Stix2::PROCESSOR_ARCHITECTURE_OV) }
14
- property :implementation_languages, coerce: ->(v){ validate_array(v, Stix2::IMPLEMENTATION_LANGUAGE_OV) }
15
- property :capabilities, coerce: ->(v){ validate_array(v, Stix2::IMPLEMENTATION_CAPABILITIES_OV) }
16
- property :sample_refs, coerce: Array[Identifier]
12
+ property :operating_system_refs, coerce: [Identifier]
13
+ property :architecture_execution_envs, coerce: ->(v) { validate_array(v, Stix2::PROCESSOR_ARCHITECTURE_OV) }
14
+ property :implementation_languages, coerce: ->(v) { validate_array(v, Stix2::IMPLEMENTATION_LANGUAGE_OV) }
15
+ property :capabilities, coerce: ->(v) { validate_array(v, Stix2::IMPLEMENTATION_CAPABILITIES_OV) }
16
+ property :sample_refs, coerce: [Identifier]
17
17
  end
18
18
  end
19
19
  end
@@ -5,9 +5,9 @@ module Stix2
5
5
  property :version, coerce: String
6
6
  property :host_vm_ref, coerce: Identifier
7
7
  property :operating_system_ref, coerce: Identifier
8
- property :installed_software_refs, coerce: Array[Identifier]
8
+ property :installed_software_refs, coerce: [Identifier]
9
9
  property :configuration_version, coerce: String
10
- property :modules, coerce: Array[String]
10
+ property :modules, coerce: [String]
11
11
  property :analysis_engine_version, coerce: String
12
12
  property :analysis_definition_version, coerce: String
13
13
  property :submitted, coerce: Time
@@ -15,7 +15,7 @@ module Stix2
15
15
  property :analysis_ended, coerce: Time
16
16
  property :result_name, coerce: String
17
17
  property :result, values: MALWARE_RESULT_OV
18
- property :analysis_sco_refs, coerce: Array[Identifier]
18
+ property :analysis_sco_refs, coerce: [Identifier]
19
19
  property :sample_ref, coerce: Identifier
20
20
  end
21
21
  end
@@ -3,8 +3,8 @@ module Stix2
3
3
  class Note < Base
4
4
  property :abstract, coerce: String
5
5
  property :content, coerce: String
6
- property :authors, coerce: Array[String]
7
- property :object_refs, coerce: Array[Identifier]
6
+ property :authors, coerce: [String]
7
+ property :object_refs, coerce: [Identifier]
8
8
  end
9
9
  end
10
10
  end
@@ -5,7 +5,7 @@ module Stix2
5
5
  property :last_observed, required: true, coerce: Time
6
6
  property :number_observed, required: true, coerce: Integer
7
7
  property :objects, coerce: Hash
8
- property :object_refs, coerce: Array[Identifier]
8
+ property :object_refs, coerce: [Identifier]
9
9
  end
10
10
  end
11
11
  end
@@ -2,9 +2,9 @@ module Stix2
2
2
  module DomainObject
3
3
  class Opinion < Base
4
4
  property :explanation, coerce: String
5
- property :authors, coerce: Array[String]
5
+ property :authors, coerce: [String]
6
6
  property :opinion, values: OPINION_ENUM
7
- property :object_refs, coerce: Array[Identifier]
7
+ property :object_refs, coerce: [Identifier]
8
8
  end
9
9
  end
10
10
  end
@@ -3,9 +3,9 @@ module Stix2
3
3
  class Report < Base
4
4
  property :name, required: true, coerce: String
5
5
  property :description, coerce: String
6
- property :report_types, coerce: ->(v){ validate_array(v, Stix2::REPORT_TYPE_OV) }
6
+ property :report_types, coerce: ->(v) { validate_array(v, Stix2::REPORT_TYPE_OV) }
7
7
  property :published, coerce: Time
8
- property :object_refs, coerce: Array[Identifier]
8
+ property :object_refs, coerce: [Identifier]
9
9
  end
10
10
  end
11
11
  end
@@ -3,17 +3,17 @@ module Stix2
3
3
  class ThreatActor < Base
4
4
  property :name, required: true, coerce: String
5
5
  property :description, coerce: String
6
- property :threat_actor_types, coerce: ->(v){ validate_array(v, THREAT_ACTOR_TYPE_OV) }
7
- property :aliases, coerce: Array[String]
6
+ property :threat_actor_types, coerce: ->(v) { validate_array(v, THREAT_ACTOR_TYPE_OV) }
7
+ property :aliases, coerce: [String]
8
8
  property :first_seen, coerce: Time
9
9
  property :last_seen, coerce: Time
10
- property :roles, coerce: ->(v){ validate_array(v, THREAT_ACTOR_ROLE_OV) }
11
- property :goals, coerce: Array[String]
10
+ property :roles, coerce: ->(v) { validate_array(v, THREAT_ACTOR_ROLE_OV) }
11
+ property :goals, coerce: [String]
12
12
  property :sophistication, values: THREAT_ACTOR_SOPHISTICATION_OV
13
13
  property :resource_level, values: ATTACK_RESOURCE_LEVEL_OV
14
14
  property :primary_motivation, values: ATTACK_MOTIVATION_OV
15
- property :secondary_motivations, coerce: ->(v){ validate_array(v, ATTACK_MOTIVATION_OV) }
16
- property :personal_motivations, coerce: ->(v){ validate_array(v, ATTACK_MOTIVATION_OV) }
15
+ property :secondary_motivations, coerce: ->(v) { validate_array(v, ATTACK_MOTIVATION_OV) }
16
+ property :personal_motivations, coerce: ->(v) { validate_array(v, ATTACK_MOTIVATION_OV) }
17
17
  end
18
18
  end
19
19
  end
@@ -3,9 +3,9 @@ module Stix2
3
3
  class Tool < Base
4
4
  property :name, required: true, coerce: String
5
5
  property :description, coerce: String
6
- property :tool_types, coerce: ->(v){ validate_array(v, TOOL_TYPES_OV) }
7
- property :aliases, coerce: Array[String]
8
- property :kill_chain_phases, coerce: Array[KillChainPhase]
6
+ property :tool_types, coerce: ->(v) { validate_array(v, TOOL_TYPES_OV) }
7
+ property :aliases, coerce: [String]
8
+ property :kill_chain_phases, coerce: [KillChainPhase]
9
9
  property :tool_version, coerce: String
10
10
  end
11
11
  end
data/lib/stix2/enum.rb CHANGED
@@ -1,32 +1,91 @@
1
1
  module Stix2
2
2
  OPINION_ENUM = [
3
- 'strongly-disagree',
4
- 'disagree',
5
- 'neutral',
6
- 'agree',
7
- 'strongly-agree'
3
+ "strongly-disagree",
4
+ "disagree",
5
+ "neutral",
6
+ "agree",
7
+ "strongly-agree"
8
8
  ].freeze
9
9
 
10
10
  ENCRYPTION_ALGORITHM_ENUM = [
11
- 'AES-256-GCM',
12
- 'ChaCha20-Poly1305',
13
- 'mime-type-indicated'
11
+ "AES-256-GCM",
12
+ "ChaCha20-Poly1305",
13
+ "mime-type-indicated"
14
14
  ].freeze
15
15
 
16
16
  WINDOWS_REGISTRY_DATATYPE_ENUM = [
17
- 'REG_NONE',
18
- 'REG_SZ',
19
- 'REG_EXPAND_SZ',
20
- 'REG_BINARY',
21
- 'REG_DWORD',
22
- 'REG_DWORD_BIG_ENDIAN',
23
- 'REG_DWORD_LITTLE_ENDIAN',
24
- 'REG_LINK',
25
- 'REG_MULTI_SZ',
26
- 'REG_RESOURCE_LIST',
27
- 'REG_FULL_RESOURCE_DESCRIPTION',
28
- 'REG_RESOURCE_REQUIREMENTS_LIST',
29
- 'REG_QWORD',
30
- 'REG_INVALID_TYPE'
17
+ "REG_NONE",
18
+ "REG_SZ",
19
+ "REG_EXPAND_SZ",
20
+ "REG_BINARY",
21
+ "REG_DWORD",
22
+ "REG_DWORD_BIG_ENDIAN",
23
+ "REG_DWORD_LITTLE_ENDIAN",
24
+ "REG_LINK",
25
+ "REG_MULTI_SZ",
26
+ "REG_RESOURCE_LIST",
27
+ "REG_FULL_RESOURCE_DESCRIPTION",
28
+ "REG_RESOURCE_REQUIREMENTS_LIST",
29
+ "REG_QWORD",
30
+ "REG_INVALID_TYPE"
31
+ ].freeze
32
+
33
+ EXTENSION_TYPE_ENUM = [
34
+ "new-sdo",
35
+ "new-sco",
36
+ "new-sro",
37
+ "property-extension",
38
+ "toplevel-property-extension"
39
+ ].freeze
40
+
41
+ NETWORK_SOCKET_ADDRESS_FAMILY_ENUM = [
42
+ "AF_UNSPEC",
43
+ "AF_INET",
44
+ "AF_IPX",
45
+ "AF_APPLETALK",
46
+ "AF_NETBIOS",
47
+ "AF_INET6",
48
+ "AF_IRDA",
49
+ "AF_BTH"
50
+ ].freeze
51
+
52
+ NETWORK_SOCKET_TYPE_ENUM = [
53
+ "SOCK_STREAM",
54
+ "AF_ISOCK_DGRAMNET",
55
+ "SOCK_RAW",
56
+ "SOCK_RDM",
57
+ "SOCK_SEQPACKET"
58
+ ].freeze
59
+
60
+ WINDOWS_INTEGRITY_LEVEL_ENUM = [
61
+ "low",
62
+ "medium",
63
+ "high",
64
+ "system"
65
+ ].freeze
66
+
67
+ WINDOWS_SERVICE_START_TYPE_ENUM = [
68
+ "SERVICE_AUTO_START",
69
+ "SERVICE_BOOT_START",
70
+ "SERVICE_DEMAND_START",
71
+ "SERVICE_DISABLED",
72
+ "SERVICE_SYSTEM_ALERT"
73
+ ].freeze
74
+
75
+ WINDOWS_SERVICE_TYPE_ENUM = [
76
+ "SERVICE_KERNEL_DRIVER",
77
+ "SERVICE_FILE_SYSTEM_DRIVER",
78
+ "SERVICE_WIN32_OWN_PROCESS",
79
+ "SERVICE_WIN32_SHARE_PROCESS"
80
+ ].freeze
81
+
82
+ WINDOWS_SERVICE_STATUS_ENUM = [
83
+ "SERVICE_CONTINUE_PENDING",
84
+ "SERVICE_PAUSE_PENDING",
85
+ "SERVICE_PAUSED",
86
+ "SERVICE_RUNNING",
87
+ "SERVICE_START_PENDING",
88
+ "SERVICE_STOP_PENDING",
89
+ "SERVICE_STOPPED"
31
90
  ].freeze
32
91
  end
@@ -0,0 +1,10 @@
1
+ module Stix2
2
+ class ExtensionDefinition < Stix2::Common
3
+ property :name, required: true, coerce: String
4
+ property :description, coerce: String
5
+ property :schema, required: true, coerce: String
6
+ property :version, required: true, coerce: String
7
+ property :extension_types, required: true, coerce: ->(values) { validate_array(values, EXTENSION_TYPE_ENUM) }
8
+ property :extension_properties, coerce: [String]
9
+ end
10
+ end
@@ -0,0 +1,9 @@
1
+ module Stix2
2
+ module Extensions
3
+ class AlternateDataStreamType < Stix2::Base
4
+ property :name, required: true, coerce: String
5
+ property :hashes, coerce: ->(hsh) { hash_dict(hsh) }
6
+ property :size, coerce: Integer
7
+ end
8
+ end
9
+ end
@@ -0,0 +1,8 @@
1
+ module Stix2
2
+ module Extensions
3
+ class ArchiveFile < Stix2::Base
4
+ property :contains_refs, required: true, coerce: [Identifier]
5
+ property :comment, coerce: String
6
+ end
7
+ end
8
+ end
@@ -0,0 +1,12 @@
1
+ module Stix2
2
+ module Extensions
3
+ class HttpRequest < Stix2::Base
4
+ property :request_method, required: true, coerce: String
5
+ property :request_value, required: true, coerce: String
6
+ property :request_version, coerce: String
7
+ property :request_header, coerce: Hash
8
+ property :message_body_length, coerce: Integer
9
+ property :message_body_data_ref, coerce: Identifier
10
+ end
11
+ end
12
+ end
@@ -0,0 +1,8 @@
1
+ module Stix2
2
+ module Extensions
3
+ class Icmp < Stix2::Base
4
+ property :icmp_type_hex, required: true, coerce: ->(value) { Stix2.is_hex?(value) && value }
5
+ property :icmp_code_hex, required: true, coerce: ->(value) { Stix2.is_hex?(value) && value }
6
+ end
7
+ end
8
+ end
@@ -0,0 +1,10 @@
1
+ require "stix2/extensions/alternate_data_stream_type"
2
+
3
+ module Stix2
4
+ module Extensions
5
+ class Ntfs < Stix2::Base
6
+ property :sid, coerce: String
7
+ property :alternate_data_streams, coerce: [AlternateDataStreamType]
8
+ end
9
+ end
10
+ end
@@ -0,0 +1,11 @@
1
+ module Stix2
2
+ module Extensions
3
+ class Pdf < Stix2::Base
4
+ property :version, coerce: String
5
+ property :is_optimized, coerce: ->(value) { Stix2.to_bool(value) }
6
+ property :document_info_dict, {String => String}
7
+ property :pdfid0, coerce: String
8
+ property :pdfid1, coerce: String
9
+ end
10
+ end
11
+ end
@@ -0,0 +1,10 @@
1
+ module Stix2
2
+ module Extensions
3
+ class RasterImage < Stix2::Base
4
+ property :image_height, coerce: Integer
5
+ property :image_width, coerce: Integer
6
+ property :bits_per_pixel, coerce: Integer
7
+ property :exif_tags, coerce: Hash
8
+ end
9
+ end
10
+ end
@@ -0,0 +1,13 @@
1
+ module Stix2
2
+ module Extensions
3
+ class Socket < Stix2::Base
4
+ property :address_family, required: true, values: NETWORK_SOCKET_ADDRESS_FAMILY_ENUM
5
+ property :is_blocking, coerce: ->(value) { Stix2.to_bool(value) }
6
+ property :is_listening, coerce: ->(value) { Stix2.to_bool(value) }
7
+ property :options, coerce: ->(hsh) { hsh.keys.all? { |k| k.is_a?(Integer) } && hsh }
8
+ property :socket_type, values: NETWORK_SOCKET_TYPE_ENUM
9
+ property :socket_descriptor, coerce: Integer
10
+ property :socket_handle, coerce: Integer
11
+ end
12
+ end
13
+ end
@@ -0,0 +1,8 @@
1
+ module Stix2
2
+ module Extensions
3
+ class Tcp < Stix2::Base
4
+ property :src_flags_hex, coerce: ->(value) { Stix2.is_hex?(value) && value }
5
+ property :dst_flags_hex, coerce: ->(value) { Stix2.is_hex?(value) && value }
6
+ end
7
+ end
8
+ end
@@ -0,0 +1,10 @@
1
+ module Stix2
2
+ module Extensions
3
+ class UnixAccount < Stix2::Base
4
+ property :gid, coerce: Integer
5
+ property :groups, coerce: [String]
6
+ property :home_dir, coerce: String
7
+ property :shell, coerce: String
8
+ end
9
+ end
10
+ end
@@ -0,0 +1,37 @@
1
+ module Stix2
2
+ module Extensions
3
+ class WindowsPeOptionalHeaderType < Stix2::Base
4
+ property :magic_hex, coerce: ->(value) { Stix2.is_hex?(value) && value }
5
+ property :major_linker_version, coerce: Integer
6
+ property :minor_linker_version, coerce: Integer
7
+ property :size_of_code, coerce: Integer
8
+ property :size_of_initialized_data, coerce: Integer
9
+ property :size_of_uninitialized_data, coerce: Integer
10
+ property :address_of_entry_point, coerce: Integer
11
+ property :base_of_code, coerce: Integer
12
+ property :base_of_data, coerce: Integer
13
+ property :image_base, coerce: Integer
14
+ property :section_alignment, coerce: Integer
15
+ property :file_alignment, coerce: Integer
16
+ property :major_os_version, coerce: Integer
17
+ property :minor_os_version, coerce: Integer
18
+ property :major_image_version, coerce: Integer
19
+ property :minor_image_version, coerce: Integer
20
+ property :major_subsystem_version, coerce: Integer
21
+ property :minor_subsystem_version, coerce: Integer
22
+ property :win32_version_value_hex, coerce: ->(value) { Stix2.is_hex?(value) && value }
23
+ property :size_of_image, coerce: Integer
24
+ property :size_of_headers, coerce: Integer
25
+ property :checksum_hex, coerce: ->(value) { Stix2.is_hex?(value) && value }
26
+ property :subsystem_hex, coerce: ->(value) { Stix2.is_hex?(value) && value }
27
+ property :dll_characteristics_hex, coerce: ->(value) { Stix2.is_hex?(value) && value }
28
+ property :size_of_stack_reserve, coerce: Integer
29
+ property :size_of_stack_commit, coerce: Integer
30
+ property :size_of_heap_reserve, coerce: Integer
31
+ property :size_of_heap_commit, coerce: Integer
32
+ property :loader_flags_hex, coerce: ->(value) { Stix2.is_hex?(value) && value }
33
+ property :number_of_rva_and_sizes, coerce: Integer
34
+ property :hashes, coerce: ->(hsh) { hash_dict(hsh) }
35
+ end
36
+ end
37
+ end
@@ -0,0 +1,10 @@
1
+ module Stix2
2
+ module Extensions
3
+ class WindowsPeSectionType < Stix2::Base
4
+ property :name, required: true, coerce: String
5
+ property :size, coerce: Integer
6
+ property :entropy, coerce: Float
7
+ property :hashes, coerce: ->(hsh) { hash_dict(hsh) }
8
+ end
9
+ end
10
+ end
@@ -0,0 +1,21 @@
1
+ require "stix2/extensions/windows_pe_optional_header_type"
2
+ require "stix2/extensions/windows_pe_section_type"
3
+
4
+ module Stix2
5
+ module Extensions
6
+ class WindowsPebinary < Stix2::Base
7
+ property :pe_type, required: true, values: WINDOWS_PEBINARY_TYPE_OV
8
+ property :imphash, coerce: String
9
+ property :machine_hex, coerce: ->(value) { Stix2.is_hex?(value) && value }
10
+ property :number_of_sections, coerce: Integer
11
+ property :time_date_stamp, coerce: Time
12
+ property :pointer_to_symbol_table_hex, coerce: ->(value) { Stix2.is_hex?(value) && value }
13
+ property :number_of_symbols, coerce: Integer
14
+ property :size_of_optional_header, coerce: Integer
15
+ property :characteristics_hex, coerce: ->(value) { Stix2.is_hex?(value) && value }
16
+ property :file_header_hashes, coerce: ->(hsh) { hash_dict(hsh) }
17
+ property :optional_header, coerce: WindowsPeOptionalHeaderType
18
+ property :sections, coerce: [WindowsPeSectionType]
19
+ end
20
+ end
21
+ end
@@ -0,0 +1,13 @@
1
+ module Stix2
2
+ module Extensions
3
+ class WindowsProcess < Stix2::Base
4
+ property :aslr_enabled, coerce: ->(value) { Stix2.to_bool(value) }
5
+ property :dep_enabled, coerce: ->(value) { Stix2.to_bool(value) }
6
+ property :priority, coerce: String
7
+ property :owner_sid, coerce: String
8
+ property :window_title, coerce: String
9
+ property :startup_info, coerce: Hash
10
+ property :integrity_level, values: WINDOWS_INTEGRITY_LEVEL_ENUM
11
+ end
12
+ end
13
+ end
@@ -0,0 +1,14 @@
1
+ module Stix2
2
+ module Extensions
3
+ class WindowsService < Stix2::Base
4
+ property :service_name, coerce: String
5
+ property :description, coerce: [String]
6
+ property :display_name, coerce: String
7
+ property :group_name, coerce: String
8
+ property :start_type, values: WINDOWS_SERVICE_START_TYPE_ENUM
9
+ property :service_dll_refs, coerce: [Identifier]
10
+ property :service_type, values: WINDOWS_SERVICE_TYPE_ENUM
11
+ property :service_status, values: WINDOWS_SERVICE_STATUS_ENUM
12
+ end
13
+ end
14
+ end