ruby-stix2 0.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.github/workflows/build.yml +31 -0
- data/.gitignore +56 -0
- data/Gemfile +4 -0
- data/Gemfile.lock +43 -0
- data/LICENSE +339 -0
- data/README.md +116 -0
- data/Rakefile +8 -0
- data/lib/stix2/boolean.rb +18 -0
- data/lib/stix2/bundle.rb +7 -0
- data/lib/stix2/common.rb +62 -0
- data/lib/stix2/cyberobservable_objects/artifact.rb +12 -0
- data/lib/stix2/cyberobservable_objects/autonomous_system.rb +9 -0
- data/lib/stix2/cyberobservable_objects/base.rb +6 -0
- data/lib/stix2/cyberobservable_objects/directory.rb +12 -0
- data/lib/stix2/cyberobservable_objects/domain_name.rb +8 -0
- data/lib/stix2/cyberobservable_objects/email_addr.rb +9 -0
- data/lib/stix2/cyberobservable_objects/email_message.rb +21 -0
- data/lib/stix2/cyberobservable_objects/email_mime_part_type.rb +10 -0
- data/lib/stix2/cyberobservable_objects/file.rb +18 -0
- data/lib/stix2/cyberobservable_objects/ipv4_addr.rb +11 -0
- data/lib/stix2/cyberobservable_objects/ipv6_addr.rb +11 -0
- data/lib/stix2/cyberobservable_objects/mac_addr.rb +7 -0
- data/lib/stix2/cyberobservable_objects/mutex.rb +7 -0
- data/lib/stix2/cyberobservable_objects/network_traffic.rb +23 -0
- data/lib/stix2/cyberobservable_objects/software.rb +12 -0
- data/lib/stix2/cyberobservable_objects/url.rb +7 -0
- data/lib/stix2/cyberobservable_objects/user_account.rb +20 -0
- data/lib/stix2/cyberobservable_objects/windows_registry_key.rb +11 -0
- data/lib/stix2/cyberobservable_objects/windows_registry_value.rb +9 -0
- data/lib/stix2/cyberobservable_objects/x509_certificate.rb +19 -0
- data/lib/stix2/cyberobservable_objects/x509_v3_extension_type.rb +22 -0
- data/lib/stix2/domain_objects/attack_pattern.rb +12 -0
- data/lib/stix2/domain_objects/base.rb +6 -0
- data/lib/stix2/domain_objects/campaign.rb +12 -0
- data/lib/stix2/domain_objects/course_of_action.rb +9 -0
- data/lib/stix2/domain_objects/grouping.rb +10 -0
- data/lib/stix2/domain_objects/identity.rb +12 -0
- data/lib/stix2/domain_objects/indicator.rb +15 -0
- data/lib/stix2/domain_objects/infrastructure.rb +13 -0
- data/lib/stix2/domain_objects/intrusion-set.rb +15 -0
- data/lib/stix2/domain_objects/location.rb +17 -0
- data/lib/stix2/domain_objects/malware.rb +19 -0
- data/lib/stix2/domain_objects/malware_analysis.rb +22 -0
- data/lib/stix2/domain_objects/note.rb +10 -0
- data/lib/stix2/domain_objects/observed_data.rb +11 -0
- data/lib/stix2/domain_objects/opinion.rb +10 -0
- data/lib/stix2/domain_objects/report.rb +11 -0
- data/lib/stix2/domain_objects/threat_actor.rb +19 -0
- data/lib/stix2/domain_objects/tool.rb +12 -0
- data/lib/stix2/domain_objects/vulnerability.rb +8 -0
- data/lib/stix2/enum.rb +32 -0
- data/lib/stix2/external_reference.rb +13 -0
- data/lib/stix2/identifier.rb +18 -0
- data/lib/stix2/kill_chain_phase.rb +10 -0
- data/lib/stix2/meta_objects/base.rb +6 -0
- data/lib/stix2/meta_objects/data_markings/base.rb +11 -0
- data/lib/stix2/meta_objects/data_markings/granular_marking.rb +15 -0
- data/lib/stix2/meta_objects/data_markings/marking_definition.rb +19 -0
- data/lib/stix2/meta_objects/data_markings/object_marking.rb +22 -0
- data/lib/stix2/meta_objects/language_content.rb +9 -0
- data/lib/stix2/ov.rb +319 -0
- data/lib/stix2/relationship_objects/base.rb +6 -0
- data/lib/stix2/relationship_objects/relationship.rb +12 -0
- data/lib/stix2/relationship_objects/sighting.rb +14 -0
- data/lib/stix2/storage.rb +23 -0
- data/lib/stix2/version.rb +3 -0
- data/lib/stix2.rb +101 -0
- data/ruby-stix2.gemspec +27 -0
- metadata +208 -0
data/lib/stix2/common.rb
ADDED
|
@@ -0,0 +1,62 @@
|
|
|
1
|
+
module Stix2
|
|
2
|
+
class Common < Hashie::Dash
|
|
3
|
+
include Hashie::Extensions::Dash::PredefinedValues
|
|
4
|
+
include Hashie::Extensions::IndifferentAccess
|
|
5
|
+
include Hashie::Extensions::Dash::Coercion
|
|
6
|
+
|
|
7
|
+
property :type, required: true, coerce: String
|
|
8
|
+
property :spec_version, coerce: String, values: ['2.1']
|
|
9
|
+
property :id, coerce: Identifier
|
|
10
|
+
property :created_by_ref, coerce: Identifier
|
|
11
|
+
property :created, coerce: Time
|
|
12
|
+
property :modified, coerce: Time
|
|
13
|
+
property :revoked, coerce: Stix2::Boolean
|
|
14
|
+
property :labels, coerce: Array[String]
|
|
15
|
+
property :confidence, coerce: Integer
|
|
16
|
+
property :lang, coerce: String
|
|
17
|
+
property :external_references, coerce: Array[ExternalReference]
|
|
18
|
+
property :object_marking_refs, coerce: Array[Stix2::MetaObject::DataMarking::ObjectMarking]
|
|
19
|
+
property :granular_markings, coerce: Array[MetaObject::DataMarking::GranularMarking]
|
|
20
|
+
property :defanged, coerce: Stix2::Boolean
|
|
21
|
+
property :extensions, coerce: Hash
|
|
22
|
+
|
|
23
|
+
def initialize(options = {})
|
|
24
|
+
Hashie.symbolize_keys!(options)
|
|
25
|
+
type = to_dash(self.class.name.split('::').last)
|
|
26
|
+
if options[:type]
|
|
27
|
+
raise("Property 'type' must be '#{type}'") if options[:type] != type
|
|
28
|
+
else
|
|
29
|
+
options[:type] = type
|
|
30
|
+
end
|
|
31
|
+
super(options)
|
|
32
|
+
Stix2.storage_add(self)
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
def method_missing(m, *args, &block)
|
|
36
|
+
super(m, args, block) if !m.to_s.end_with?('_instance')
|
|
37
|
+
# Retrieve the original method
|
|
38
|
+
ref_method = m.to_s.gsub(/_instance$/, '')
|
|
39
|
+
obj = send(ref_method)
|
|
40
|
+
raise("Can't get a Stix2::Identifier from #{ref_method}") if !obj.is_a?(Stix2::Identifier)
|
|
41
|
+
Stix2.storage_find(obj)
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
private
|
|
45
|
+
|
|
46
|
+
def to_dash(string)
|
|
47
|
+
string.gsub(/[[:upper:]]/) { "-#{$&.downcase}" }[1..]
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
def self.validate_array(list, valid_values)
|
|
51
|
+
excess = (Array(list) - valid_values)
|
|
52
|
+
excess.empty? || raise("Invalid values: #{excess}")
|
|
53
|
+
list
|
|
54
|
+
end
|
|
55
|
+
|
|
56
|
+
def self.hash_dict(hsh)
|
|
57
|
+
invalids = hsh.keys.map(&:to_s) - HASH_ALGORITHM_OV
|
|
58
|
+
invalids.empty? || raise("Invalid values: #{invalids}")
|
|
59
|
+
hsh
|
|
60
|
+
end
|
|
61
|
+
end
|
|
62
|
+
end
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
module Stix2
|
|
2
|
+
module CyberobservableObject
|
|
3
|
+
class Artifact < Base
|
|
4
|
+
property :mime_type, coerce: String
|
|
5
|
+
property :payload_bin, coerce: String
|
|
6
|
+
property :url, coerce: String
|
|
7
|
+
property :hashes, coerce: ->(hsh){ hash_dict(hsh) }
|
|
8
|
+
property :encryption_algorithm, values: ENCRYPTION_ALGORITHM_ENUM
|
|
9
|
+
property :decryption_key, coerce: String
|
|
10
|
+
end
|
|
11
|
+
end
|
|
12
|
+
end
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
module Stix2
|
|
2
|
+
module CyberobservableObject
|
|
3
|
+
class Directory < Base
|
|
4
|
+
property :path, required: true, coerce: String
|
|
5
|
+
property :path, required: true, coerce: String
|
|
6
|
+
property :ctime, coerce: Time
|
|
7
|
+
property :mtime, coerce: Time
|
|
8
|
+
property :atime, coerce: Time
|
|
9
|
+
property :contains_refs, coerce: Array[Identifier]
|
|
10
|
+
end
|
|
11
|
+
end
|
|
12
|
+
end
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
module Stix2
|
|
2
|
+
module CyberobservableObject
|
|
3
|
+
class EmailMessage < Base
|
|
4
|
+
property :is_multipart, required: true, coerce: Stix2::Boolean
|
|
5
|
+
property :date, coerce: Time
|
|
6
|
+
property :content_type, coerce: String
|
|
7
|
+
property :from_ref, coerce: Identifier
|
|
8
|
+
property :sender_ref, coerce: Identifier
|
|
9
|
+
property :to_refs, coerce: Array[Identifier]
|
|
10
|
+
property :cc_refs, coerce: Array[Identifier]
|
|
11
|
+
property :bcc_refs, coerce: Array[Identifier]
|
|
12
|
+
property :message_id, coerce: String
|
|
13
|
+
property :subject, coerce: String
|
|
14
|
+
property :received_lines, coerce: Array[String]
|
|
15
|
+
property :additional_header_fields, coerce: Hash[String => String]
|
|
16
|
+
property :body, coerce: String
|
|
17
|
+
property :body_multipart, coerce: Array[EmailMimePartType]
|
|
18
|
+
property :raw_email_ref, coerce: Identifier
|
|
19
|
+
end
|
|
20
|
+
end
|
|
21
|
+
end
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
module Stix2
|
|
2
|
+
module CyberobservableObject
|
|
3
|
+
class EmailMimePartType < Base
|
|
4
|
+
property :body, coerce: String
|
|
5
|
+
property :body_raw_ref, coerce: Identifier
|
|
6
|
+
property :content_type, coerce: String
|
|
7
|
+
property :content_disposition, coerce: String
|
|
8
|
+
end
|
|
9
|
+
end
|
|
10
|
+
end
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
module Stix2
|
|
2
|
+
module CyberobservableObject
|
|
3
|
+
class File < Base
|
|
4
|
+
property :hashes, coerce: ->(hsh){ hash_dict(hsh) }
|
|
5
|
+
property :size, coerce: Integer
|
|
6
|
+
property :name, coerce: String
|
|
7
|
+
property :name_enc, coerce: String
|
|
8
|
+
property :magic_number_hex, coerce: String
|
|
9
|
+
property :mime_type, coerce: String
|
|
10
|
+
property :ctime, coerce: String
|
|
11
|
+
property :mtime, coerce: String
|
|
12
|
+
property :atime, coerce: String
|
|
13
|
+
property :parent_directory_ref, coerce: Identifier
|
|
14
|
+
property :contains_refs, coerce: Array[Identifier]
|
|
15
|
+
property :content_ref, coerce: Identifier
|
|
16
|
+
end
|
|
17
|
+
end
|
|
18
|
+
end
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
require 'ipaddr'
|
|
2
|
+
|
|
3
|
+
module Stix2
|
|
4
|
+
module CyberobservableObject
|
|
5
|
+
class Ipv4Addr < Base
|
|
6
|
+
property :value, required: true, coerce: ->(v){ IPAddr.new(v, Socket::AF_INET).to_s }
|
|
7
|
+
property :resolves_to_refs, coerce: Array[Identifier]
|
|
8
|
+
property :resolves_to_refs, coerce: Array[Identifier]
|
|
9
|
+
end
|
|
10
|
+
end
|
|
11
|
+
end
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
require 'ipaddr'
|
|
2
|
+
|
|
3
|
+
module Stix2
|
|
4
|
+
module CyberobservableObject
|
|
5
|
+
class Ipv6Addr < Base
|
|
6
|
+
property :value, required: true, coerce: ->(v){ IPAddr.new(v, Socket::AF_INET6).to_s }
|
|
7
|
+
property :resolves_to_refs, coerce: Array[Identifier]
|
|
8
|
+
property :resolves_to_refs, coerce: Array[Identifier]
|
|
9
|
+
end
|
|
10
|
+
end
|
|
11
|
+
end
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
module Stix2
|
|
2
|
+
module CyberobservableObject
|
|
3
|
+
class NetworkTraffic < Base
|
|
4
|
+
property :start, coerce: Time
|
|
5
|
+
property :end, coerce: Time
|
|
6
|
+
property :is_active, coerce: ->(v){ boolean(v) }
|
|
7
|
+
property :src_ref, coerce: Identifier
|
|
8
|
+
property :dst_ref, coerce: Identifier
|
|
9
|
+
property :src_port, coerce: Integer
|
|
10
|
+
property :dst_port, coerce: Integer
|
|
11
|
+
property :protocols, required: true, coerce: Array[String]
|
|
12
|
+
property :src_byte_count, coerce: Integer
|
|
13
|
+
property :dst_byte_count, coerce: Integer
|
|
14
|
+
property :src_packets, coerce: Integer
|
|
15
|
+
property :dst_packets, coerce: Integer
|
|
16
|
+
property :ipfix, coerce: Hash
|
|
17
|
+
property :src_payload_ref, coerce: Identifier
|
|
18
|
+
property :dst_payload_ref, coerce: Identifier
|
|
19
|
+
property :encapsulates_refs, coerce: Array[Identifier]
|
|
20
|
+
property :encapsulated_by_ref, coerce: Identifier
|
|
21
|
+
end
|
|
22
|
+
end
|
|
23
|
+
end
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
module Stix2
|
|
2
|
+
module CyberobservableObject
|
|
3
|
+
class Software < Base
|
|
4
|
+
property :name, required: true, coerce: String
|
|
5
|
+
property :cpe, coerce: String
|
|
6
|
+
property :swid, coerce: String
|
|
7
|
+
property :languages, coerce: Array[String]
|
|
8
|
+
property :vendor, coerce: String
|
|
9
|
+
property :version, coerce: String
|
|
10
|
+
end
|
|
11
|
+
end
|
|
12
|
+
end
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
module Stix2
|
|
2
|
+
module CyberobservableObject
|
|
3
|
+
class UserAccount < Base
|
|
4
|
+
property :user_id, coerce: String
|
|
5
|
+
property :credential, coerce: String
|
|
6
|
+
property :account_login, coerce: String
|
|
7
|
+
property :account_type, values: ACCOUNT_TYPE_OV
|
|
8
|
+
property :display_name, coerce: String
|
|
9
|
+
property :is_service_account, coerce: Stix2::Boolean
|
|
10
|
+
property :is_privileged, coerce: Stix2::Boolean
|
|
11
|
+
property :can_escalate_privs, coerce: Stix2::Boolean
|
|
12
|
+
property :is_disabled, coerce: Stix2::Boolean
|
|
13
|
+
property :account_created, coerce: Time
|
|
14
|
+
property :account_expires, coerce: Time
|
|
15
|
+
property :credential_last_changed, coerce: Time
|
|
16
|
+
property :account_first_login, coerce: Time
|
|
17
|
+
property :account_last_login, coerce: Time
|
|
18
|
+
end
|
|
19
|
+
end
|
|
20
|
+
end
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
module Stix2
|
|
2
|
+
module CyberobservableObject
|
|
3
|
+
class WindowsRegistryKey < Base
|
|
4
|
+
property :key, coerce: String
|
|
5
|
+
property :values, coerce: [WindowsRegistryValue]
|
|
6
|
+
property :modified_time, coerce: Time
|
|
7
|
+
property :creator_user_ref, coerce: Identifier
|
|
8
|
+
property :number_of_subkeys, coerce: Integer
|
|
9
|
+
end
|
|
10
|
+
end
|
|
11
|
+
end
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
module Stix2
|
|
2
|
+
module CyberobservableObject
|
|
3
|
+
class X509Certificate < Base
|
|
4
|
+
property :is_self_signed, coerce: ->(v){ boolean(v) }
|
|
5
|
+
property :hashes, coerce: ->(hsh){ hash_dict(hsh) }
|
|
6
|
+
property :version, coerce: String
|
|
7
|
+
property :serial_number, coerce: String
|
|
8
|
+
property :signature_algorithm, coerce: String
|
|
9
|
+
property :issuer, coerce: String
|
|
10
|
+
property :validity_not_before, coerce: Time
|
|
11
|
+
property :validity_not_after, coerce: Time
|
|
12
|
+
property :subject, coerce: String
|
|
13
|
+
property :subject_public_key_algorithm, coerce: String
|
|
14
|
+
property :subject_public_key_modulus, coerce: String
|
|
15
|
+
property :subject_public_key_exponent, coerce: String
|
|
16
|
+
property :x509_v3_extensions, coerce: X509V3ExtensionType
|
|
17
|
+
end
|
|
18
|
+
end
|
|
19
|
+
end
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
module Stix2
|
|
2
|
+
module CyberobservableObject
|
|
3
|
+
class X509V3ExtensionType < Base
|
|
4
|
+
property :basic_constraints, coerce: String
|
|
5
|
+
property :name_constraints, coerce: String
|
|
6
|
+
property :policy_constraints, coerce: String
|
|
7
|
+
property :key_usage, coerce: String
|
|
8
|
+
property :extended_key_usage, coerce: String
|
|
9
|
+
property :subject_key_identifier, coerce: String
|
|
10
|
+
property :authority_key_identifier, coerce: String
|
|
11
|
+
property :subject_alternative_name, coerce: String
|
|
12
|
+
property :issuer_alternative_name, coerce: String
|
|
13
|
+
property :subject_directory_attributes, coerce: String
|
|
14
|
+
property :crl_distribution_points, coerce: String
|
|
15
|
+
property :inhibit_any_policy, coerce: String
|
|
16
|
+
property :private_key_usage_period_not_before, coerce: Time
|
|
17
|
+
property :private_key_usage_period_not_after, coerce: Time
|
|
18
|
+
property :certificate_policies, coerce: String
|
|
19
|
+
property :policy_mappings, coerce: String
|
|
20
|
+
end
|
|
21
|
+
end
|
|
22
|
+
end
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
module Stix2
|
|
2
|
+
module DomainObject
|
|
3
|
+
class AttackPattern < Base
|
|
4
|
+
property :type, required: true, coerce: String
|
|
5
|
+
property :external_references, coerce: Array[Stix2::ExternalReference]
|
|
6
|
+
property :name, coerce: String
|
|
7
|
+
property :description, coerce: String
|
|
8
|
+
property :aliases, coerce: Array[String]
|
|
9
|
+
property :kill_chain_phases, coerce: Array[Stix2::KillChainPhase]
|
|
10
|
+
end
|
|
11
|
+
end
|
|
12
|
+
end
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
module Stix2
|
|
2
|
+
module DomainObject
|
|
3
|
+
class Campaign < Base
|
|
4
|
+
property :name, coerce: String
|
|
5
|
+
property :description, coerce: String
|
|
6
|
+
property :aliases, coerce: Array[String]
|
|
7
|
+
property :first_seen, coerce: Time
|
|
8
|
+
property :last_seen, coerce: Time
|
|
9
|
+
property :objective, coerce: String
|
|
10
|
+
end
|
|
11
|
+
end
|
|
12
|
+
end
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
module Stix2
|
|
2
|
+
module DomainObject
|
|
3
|
+
class Identity < Base
|
|
4
|
+
property :name, required: true, coerce: String
|
|
5
|
+
property :description, coerce: String
|
|
6
|
+
property :roles, coerce: Array[String]
|
|
7
|
+
property :identity_class, coerce: String, values: IDENTITY_CLASS_OV
|
|
8
|
+
property :sectors, coerce: String, values: INDUSTRY_SECTOR_OV
|
|
9
|
+
property :contact_information, coerce: String
|
|
10
|
+
end
|
|
11
|
+
end
|
|
12
|
+
end
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
module Stix2
|
|
2
|
+
module DomainObject
|
|
3
|
+
class Indicator < Base
|
|
4
|
+
property :name, coerce: String
|
|
5
|
+
property :description, coerce: String
|
|
6
|
+
property :indicator_types, coerce: ->(v){ validate_array(v, Stix2::INDICATOR_TYPE_OV) }
|
|
7
|
+
property :pattern, coerce: String
|
|
8
|
+
property :pattern_type, coerce: String, values: PATTERN_TYPE_OV
|
|
9
|
+
property :pattern_version, coerce: String
|
|
10
|
+
property :valid_from, coerce: Time
|
|
11
|
+
property :valid_until, coerce: Time
|
|
12
|
+
property :kill_chain_phases, coerce: Array[KillChainPhase]
|
|
13
|
+
end
|
|
14
|
+
end
|
|
15
|
+
end
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
module Stix2
|
|
2
|
+
module DomainObject
|
|
3
|
+
class Infrastructure < Base
|
|
4
|
+
property :name, required: true, coerce: String
|
|
5
|
+
property :description, coerce: String
|
|
6
|
+
property :infrastructure_types, coerce: ->(v){ validate_array(v, Stix2::INFRASTRUCTURE_TYPE_OV) }
|
|
7
|
+
property :aliases, coerce: Array[String]
|
|
8
|
+
property :kill_chain_phases, coerce: Array[KillChainPhase]
|
|
9
|
+
property :first_seen, coerce: Time
|
|
10
|
+
property :last_seen, coerce: Time
|
|
11
|
+
end
|
|
12
|
+
end
|
|
13
|
+
end
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
module Stix2
|
|
2
|
+
module DomainObject
|
|
3
|
+
class IntrusionSet < Base
|
|
4
|
+
property :name, required: true, coerce: String
|
|
5
|
+
property :description, coerce: String
|
|
6
|
+
property :aliases, coerce: Array[String]
|
|
7
|
+
property :first_seen, coerce: Time
|
|
8
|
+
property :last_seen, coerce: Time
|
|
9
|
+
property :goals, coerce: Array[String]
|
|
10
|
+
property :resource_level, values: ATTACK_RESOURCE_LEVEL_OV
|
|
11
|
+
property :primary_motivation, values: ATTACK_MOTIVATION_OV
|
|
12
|
+
property :secondary_motivations, coerce: ->(v){ validate_array(v, Stix2::ATTACK_MOTIVATION_OV) }
|
|
13
|
+
end
|
|
14
|
+
end
|
|
15
|
+
end
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
module Stix2
|
|
2
|
+
module DomainObject
|
|
3
|
+
class Location < Base
|
|
4
|
+
property :name, coerce: String
|
|
5
|
+
property :description, coerce: String
|
|
6
|
+
property :latitude, coerce: Float
|
|
7
|
+
property :longitude, coerce: Float
|
|
8
|
+
property :precision, coerce: Float
|
|
9
|
+
property :region, values: REGION_OV
|
|
10
|
+
property :country, coerce: String
|
|
11
|
+
property :administrative_area, coerce: String
|
|
12
|
+
property :city, coerce: String
|
|
13
|
+
property :street_address, coerce: String
|
|
14
|
+
property :postal_code, coerce: String
|
|
15
|
+
end
|
|
16
|
+
end
|
|
17
|
+
end
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
module Stix2
|
|
2
|
+
module DomainObject
|
|
3
|
+
class Malware < Base
|
|
4
|
+
property :name, coerce: String
|
|
5
|
+
property :description, coerce: String
|
|
6
|
+
property :malware_types, coerce: ->(v){ validate_array(v, Stix2::MALWARE_TYPE_OV) }
|
|
7
|
+
property :is_family, coerce: ->(v){ is_boolean?(v) }
|
|
8
|
+
property :aliases, coerce: Array[String]
|
|
9
|
+
property :kill_chain_phases, coerce: Array[KillChainPhase]
|
|
10
|
+
property :first_seen, coerce: Time
|
|
11
|
+
property :last_seen, coerce: Time
|
|
12
|
+
property :operating_system_refs, coerce: Array[Identifier]
|
|
13
|
+
property :architecture_execution_envs, coerce: ->(v){ validate_array(v, Stix2::PROCESSOR_ARCHITECTURE_OV) }
|
|
14
|
+
property :implementation_languages, coerce: ->(v){ validate_array(v, Stix2::IMPLEMENTATION_LANGUAGE_OV) }
|
|
15
|
+
property :capabilities, coerce: ->(v){ validate_array(v, Stix2::IMPLEMENTATION_CAPABILITIES_OV) }
|
|
16
|
+
property :sample_refs, coerce: Array[Identifier]
|
|
17
|
+
end
|
|
18
|
+
end
|
|
19
|
+
end
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
module Stix2
|
|
2
|
+
module DomainObject
|
|
3
|
+
class MalwareAnalysis < Base
|
|
4
|
+
property :product, coerce: String
|
|
5
|
+
property :version, coerce: String
|
|
6
|
+
property :host_vm_ref, coerce: Identifier
|
|
7
|
+
property :operating_system_ref, coerce: Identifier
|
|
8
|
+
property :installed_software_refs, coerce: Array[Identifier]
|
|
9
|
+
property :configuration_version, coerce: String
|
|
10
|
+
property :modules, coerce: Array[String]
|
|
11
|
+
property :analysis_engine_version, coerce: String
|
|
12
|
+
property :analysis_definition_version, coerce: String
|
|
13
|
+
property :submitted, coerce: Time
|
|
14
|
+
property :analysis_started, coerce: Time
|
|
15
|
+
property :analysis_ended, coerce: Time
|
|
16
|
+
property :result_name, coerce: String
|
|
17
|
+
property :result, values: MALWARE_RESULT_OV
|
|
18
|
+
property :analysis_sco_refs, coerce: Array[Identifier]
|
|
19
|
+
property :sample_ref, coerce: Identifier
|
|
20
|
+
end
|
|
21
|
+
end
|
|
22
|
+
end
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
module Stix2
|
|
2
|
+
module DomainObject
|
|
3
|
+
class ObservedData < Base
|
|
4
|
+
property :first_observed, required: true, coerce: Time
|
|
5
|
+
property :last_observed, required: true, coerce: Time
|
|
6
|
+
property :number_observed, required: true, coerce: Integer
|
|
7
|
+
property :objects, coerce: Hash
|
|
8
|
+
property :object_refs, coerce: Array[Identifier]
|
|
9
|
+
end
|
|
10
|
+
end
|
|
11
|
+
end
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
module Stix2
|
|
2
|
+
module DomainObject
|
|
3
|
+
class Report < Base
|
|
4
|
+
property :name, required: true, coerce: String
|
|
5
|
+
property :description, coerce: String
|
|
6
|
+
property :report_types, coerce: ->(v){ validate_array(v, Stix2::REPORT_TYPE_OV) }
|
|
7
|
+
property :published, coerce: Time
|
|
8
|
+
property :object_refs, coerce: Array[Identifier]
|
|
9
|
+
end
|
|
10
|
+
end
|
|
11
|
+
end
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
module Stix2
|
|
2
|
+
module DomainObject
|
|
3
|
+
class ThreatActor < Base
|
|
4
|
+
property :name, required: true, coerce: String
|
|
5
|
+
property :description, coerce: String
|
|
6
|
+
property :threat_actor_types, coerce: ->(v){ validate_array(v, THREAT_ACTOR_TYPE_OV) }
|
|
7
|
+
property :aliases, coerce: Array[String]
|
|
8
|
+
property :first_seen, coerce: Time
|
|
9
|
+
property :last_seen, coerce: Time
|
|
10
|
+
property :roles, coerce: ->(v){ validate_array(v, THREAT_ACTOR_ROLE_OV) }
|
|
11
|
+
property :goals, coerce: Array[String]
|
|
12
|
+
property :sophistication, values: THREAT_ACTOR_SOPHISTICATION_OV
|
|
13
|
+
property :resource_level, values: ATTACK_RESOURCE_LEVEL_OV
|
|
14
|
+
property :primary_motivation, values: ATTACK_MOTIVATION_OV
|
|
15
|
+
property :secondary_motivations, coerce: ->(v){ validate_array(v, ATTACK_MOTIVATION_OV) }
|
|
16
|
+
property :personal_motivations, coerce: ->(v){ validate_array(v, ATTACK_MOTIVATION_OV) }
|
|
17
|
+
end
|
|
18
|
+
end
|
|
19
|
+
end
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
module Stix2
|
|
2
|
+
module DomainObject
|
|
3
|
+
class Tool < Base
|
|
4
|
+
property :name, required: true, coerce: String
|
|
5
|
+
property :description, coerce: String
|
|
6
|
+
property :tool_types, coerce: ->(v){ validate_array(v, TOOL_TYPES_OV) }
|
|
7
|
+
property :aliases, coerce: Array[String]
|
|
8
|
+
property :kill_chain_phases, coerce: Array[KillChainPhase]
|
|
9
|
+
property :tool_version, coerce: String
|
|
10
|
+
end
|
|
11
|
+
end
|
|
12
|
+
end
|