ruby-stix2 0.1.0

data/lib/stix2/enum.rb

@@ -0,0 +1,32 @@
+module Stix2
+  OPINION_ENUM = [
+    'strongly-disagree',
+    'disagree',
+    'neutral',
+    'agree',
+    'strongly-agree'
+  ].freeze
+
+  ENCRYPTION_ALGORITHM_ENUM = [
+    'AES-256-GCM',
+    'ChaCha20-Poly1305',
+    'mime-type-indicated'
+  ].freeze
+
+  WINDOWS_REGISTRY_DATATYPE_ENUM = [
+    'REG_NONE',
+    'REG_SZ',
+    'REG_EXPAND_SZ',
+    'REG_BINARY',
+    'REG_DWORD',
+    'REG_DWORD_BIG_ENDIAN',
+    'REG_DWORD_LITTLE_ENDIAN',
+    'REG_LINK',
+    'REG_MULTI_SZ',
+    'REG_RESOURCE_LIST',
+    'REG_FULL_RESOURCE_DESCRIPTION',
+    'REG_RESOURCE_REQUIREMENTS_LIST',
+    'REG_QWORD',
+    'REG_INVALID_TYPE'
+  ].freeze
+end

data/lib/stix2/external_reference.rb

@@ -0,0 +1,13 @@
+module Stix2
+  class ExternalReference < Hashie::Dash
+    include Hashie::Extensions::Dash::PredefinedValues
+    include Hashie::Extensions::IndifferentAccess
+    include Hashie::Extensions::Dash::Coercion
+
+    property :source_name, coerce: String, required: true
+    property :description, coerce: String
+    property :url, coerce: String
+    property :hashes, coerce: ->(hsh){ hash_dict(hsh) }
+    property :external_id, coerce: String
+  end
+end

data/lib/stix2/identifier.rb

@@ -0,0 +1,18 @@
+module Stix2
+  class Identifier
+    def initialize(value)
+      value.match(/.*--.*/) || raise("Invalid identifier: #{value}")
+      @value = value
+    end
+
+    def to_s
+      @value
+    end
+
+    def pretty_print(pp)
+      # :nocov:
+      pp.text(@value.inspect)
+      # :nocov
+    end
+  end
+end

data/lib/stix2/kill_chain_phase.rb

@@ -0,0 +1,10 @@
+module Stix2
+  class KillChainPhase < Hashie::Dash
+    include Hashie::Extensions::Dash::PredefinedValues
+    include Hashie::Extensions::IndifferentAccess
+    include Hashie::Extensions::Dash::Coercion
+    
+    property :kill_chain_name, coerce: String
+    property :phase_name, coerce: String
+  end
+end

data/lib/stix2/meta_objects/base.rb

@@ -0,0 +1,6 @@
+module Stix2
+  module MetaObject
+    class Base < Stix2::Common
+    end
+  end
+end

data/lib/stix2/meta_objects/data_markings/base.rb

@@ -0,0 +1,11 @@
+module Stix2
+  module MetaObject
+    module DataMarking
+      class Base < Hashie::Dash
+        include Hashie::Extensions::Dash::PredefinedValues
+        include Hashie::Extensions::IndifferentAccess
+        include Hashie::Extensions::Dash::Coercion
+      end
+    end
+  end
+end

data/lib/stix2/meta_objects/data_markings/granular_marking.rb

@@ -0,0 +1,15 @@
+module Stix2
+  module MetaObject
+    module DataMarking
+      class GranularMarking < Hashie::Dash
+        include Hashie::Extensions::Dash::PredefinedValues
+        include Hashie::Extensions::IndifferentAccess
+        include Hashie::Extensions::Dash::Coercion
+
+        property :lang, coerce: String
+        property :marking_ref, coerce: Identifier
+        property :selectors, coerce: Array[String]
+      end
+    end
+  end
+end

data/lib/stix2/meta_objects/data_markings/marking_definition.rb

@@ -0,0 +1,19 @@
+module Stix2
+  module MetaObject
+    module DataMarking
+      class MarkingDefinition < Stix2::Common
+        property :name, coerce: String
+        property :definition_type, required: true, coerce: String
+        property :definition, required: true, coerce: Hash[String => String]
+
+        def initialize(args)
+          super(args)
+          raise("Property 'definition' must contain a single key") if definition.size > 1
+          if definition_type != definition.keys.first
+            raise("Property 'definition_type' and 'definition' must have a matching key") 
+          end
+        end
+      end
+    end
+  end
+end

data/lib/stix2/meta_objects/data_markings/object_marking.rb

@@ -0,0 +1,22 @@
+module Stix2
+  module MetaObject
+    module DataMarking
+      class ObjectMarking
+        def initialize(value)
+          value.match(/marking-definition--.*/) || raise("Invalid value: #{value}")
+          @value = value
+        end
+
+        def to_s
+          @value
+        end
+
+        def pretty_print(pp)
+          # :nocov:
+          pp.text(@value.inspect)
+          # :nocov
+        end
+      end
+    end
+  end
+end

data/lib/stix2/meta_objects/language_content.rb

@@ -0,0 +1,9 @@
+module Stix2
+  module MetaObject
+    class LanguageContent < Base
+      property :object_ref, coerce: Identifier
+      property :object_modified, coerce: Time
+      property :contents, coerce: Hash # TODO
+    end
+  end
+end

data/lib/stix2/ov.rb

@@ -0,0 +1,319 @@
+module Stix2
+  INDICATOR_TYPE_OV = [
+    'anomalous-activity',
+    'anonymization',
+    'benign',
+    'compromised',
+    'malicious-activity',
+    'attribution',
+    'unknown'
+  ].freeze
+
+  PATTERN_TYPE_OV = [
+    'stix',
+    'pcre',
+    'sigma',
+    'snort',
+    'suricata',
+    'yara'
+  ].freeze
+
+  GROUPING_CONTEXT_OV = [
+    'suspicious-activity',
+    'malware-analysis',
+    'unspecified'
+  ].freeze
+
+  IDENTITY_CLASS_OV = [
+    'individual',
+    'group',
+    'system',
+    'organization',
+    'class',
+    'unspecified'
+  ].freeze
+
+  INDUSTRY_SECTOR_OV = [
+    'agriculture',
+    'aerospace',
+    'automotive',
+    'chemical',
+    'commercial',
+    'communications',
+    'construction',
+    'defense',
+    'education',
+    'energy',
+    'entertainment',
+    'financial-services',
+    'government (emergency-services, government-local, government-national, government-public-services, government-regional)',
+    'healthcare',
+    'hospitality-leisure',
+    'infrastructure (dams, nuclear, water)',
+    'insurance',
+    'manufacturing',
+    'mining',
+    'non-profit',
+    'pharmaceuticals',
+    'retail',
+    'technology',
+    'telecommunications',
+    'transportation',
+    'utilities'
+  ].freeze
+
+  MALWARE_TYPE_OV = [
+    'adware',
+    'backdoor',
+    'bot',
+    'bootkit',
+    'ddos',
+    'downloader',
+    'dropper',
+    'exploit-kit',
+    'keylogger',
+    'ransomware',
+    'remote-access-trojan',
+    'resource-exploitation',
+    'rogue-security-software',
+    'rootkit',
+    'screen-capture',
+    'spyware',
+    'trojan',
+    'unknown',
+    'virus',
+    'webshell',
+    'wiper',
+    'worm'
+  ].freeze
+
+  PROCESSOR_ARCHITECTURE_OV = [
+    'alpha',
+    'arm',
+    'ia-64',
+    'mips',
+    'powerpc',
+    'sparc',
+    'x86',
+    'x86-64'
+  ].freeze
+
+  IMPLEMENTATION_LANGUAGE_OV = [
+    'applescript',
+    'bash',
+    'c',
+    'c++',
+    'c#',
+    'go',
+    'java',
+    'javascript',
+    'lua',
+    'objective-c',
+    'perl',
+    'php',
+    'powershell',
+    'python',
+    'ruby',
+    'scala',
+    'swift',
+    'typescript',
+    'visual-basic',
+    'x86-32',
+    'x86-64'
+  ].freeze
+
+  IMPLEMENTATION_CAPABILITIES_OV = [
+    'accesses-remote-machines',
+    'anti-debugging',
+    'anti-disassembly',
+    'anti-emulation',
+    'anti-memory-forensics',
+    'anti-sandbox',
+    'anti-vm',
+    'captures-input-peripherals',
+    'captures-output-peripherals',
+    'captures-system-state-data',
+    'cleans-traces-of-infection',
+    'commits-fraud',
+    'communicates-with-c2',
+    'compromises-data-availability',
+    'compromises-data-integrity',
+    'compromises-system-availability',
+    'controls-local-machine',
+    'degrades-security-software',
+    'degrades-system-updates',
+    'determines-c2-server',
+    'emails-spam',
+    'escalates-privileges',
+    'evades-av',
+    'exfiltrates-data',
+    'fingerprints-host',
+    'hides-artifacts',
+    'hides-executing-code',
+    'infects-files',
+    'infects-remote-machines',
+    'installs-other-components',
+    'persists-after-system-reboot',
+    'prevents-artifact-access',
+    'prevents-artifact-deletion',
+    'probes-network-environment',
+    'self-modifies',
+    'steals-authentication-credentials',
+    'violates-system-operational-integrity'
+  ].freeze
+
+  INFRASTRUCTURE_TYPE_OV = [
+    'amplification',
+    'anonymization',
+    'botnet',
+    'command-and-control',
+    'exfiltration',
+    'hosting-malware',
+    'hosting-target-lists',
+    'phishing',
+    'reconnaissance',
+    'staging',
+    'undefined'
+  ].freeze
+
+  ATTACK_RESOURCE_LEVEL_OV = [
+    'individual',
+    'club',
+    'contest',
+    'team',
+    'organization',
+    'government'
+  ].freeze
+
+  ATTACK_MOTIVATION_OV = [
+    'accidental',
+    'coercion',
+    'dominance',
+    'ideology',
+    'notoriety',
+    'organizational-gain',
+    'personal-gain',
+    'personal-satisfaction',
+    'revenge',
+    'unpredictable'
+  ].freeze
+
+  REGION_OV = [
+    'eastern-africa',
+    'middle-africa',
+    'northern-africa',
+    'southern-africa',
+    'western-africa',
+    'caribbean',
+    'central-america',
+    'latin-america-caribbean',
+    'northern-america',
+    'south-america',
+    'central-asia',
+    'eastern-asia',
+    'southern-asia',
+    'south-eastern-asia',
+    'western-asia',
+    'eastern-europe',
+    'northern-europe',
+    'southern-europe',
+    'western-europe',
+    'antarctica',
+    'australia-new-zealand',
+    'melanesia',
+    'micronesia',
+    'polynesia'
+  ].freeze
+
+  MALWARE_RESULT_OV = [
+    'malicious',
+    'suspicious',
+    'benign',
+    'unknown'
+  ].freeze
+
+  REPORT_TYPE_OV = [
+    'attack-pattern',
+    'campaign',
+    'identity',
+    'indicator',
+    'intrusion-set',
+    'malware',
+    'observed-data',
+    'threat-actor',
+    'threat-report',
+    'tool',
+    'vulnerability'
+  ].freeze
+
+  THREAT_ACTOR_TYPE_OV = [
+    'activist',
+    'competitor',
+    'crime-syndicate',
+    'criminal',
+    'hacker',
+    'insider-accidental',
+    'insider-disgruntled',
+    'nation-state',
+    'sensationalist',
+    'spy',
+    'terrorist',
+    'unknown'
+  ].freeze
+
+  THREAT_ACTOR_ROLE_OV = [
+    'agent',
+    'director',
+    'independent',
+    'infrastructure-architect',
+    'infrastructure-operator',
+    'malware-author',
+    'sponsor'
+  ].freeze
+
+  THREAT_ACTOR_SOPHISTICATION_OV = [
+    'none',
+    'minimal',
+    'intermediate',
+    'advanced',
+    'expert',
+    'innovator',
+    'strategic'
+  ].freeze
+
+  TOOL_TYPES_OV = [
+    'denial-of-service',
+    'exploitation',
+    'information-gathering',
+    'network-capture',
+    'credential-exploitation',
+    'remote-access',
+    'vulnerability-scanning',
+    'unknown'
+  ].freeze
+
+  HASH_ALGORITHM_OV = [
+    'MD5',
+    'SHA-1',
+    'SHA-256',
+    'SHA-512',
+    'SHA3-256',
+    'SHA3-512',
+    'SSDEEP',
+    'TLSH'
+  ].freeze
+
+  ACCOUNT_TYPE_OV = [
+    'facebook',
+    'ldap',
+    'nis',
+    'openid',
+    'radius',
+    'skype',
+    'tacacs',
+    'twitter',
+    'unix',
+    'windows-local',
+    'windows-domain'
+  ].freeze
+end

data/lib/stix2/relationship_objects/base.rb

@@ -0,0 +1,6 @@
+module Stix2
+  module RelationshipObject
+    class Base < Stix2::Common
+    end
+  end
+end

data/lib/stix2/relationship_objects/relationship.rb

@@ -0,0 +1,12 @@
+module Stix2
+  module RelationshipObject
+    class Relationship < Base
+      property :relationship_type, required: true, coerce: String
+      property :description, coerce: String
+      property :source_ref, coerce: String
+      property :target_ref, coerce: String
+      property :start_time, coerce: Time
+      property :stop_time, coerce: Time
+    end
+  end
+end

data/lib/stix2/relationship_objects/sighting.rb

@@ -0,0 +1,14 @@
+module Stix2
+  module RelationshipObject
+    class Sighting < Base
+      property :description, coerce: String
+      property :first_seen, required: true, coerce: Time
+      property :last_seen, required: true, coerce: Time
+      property :count, coerce: Integer
+      property :sighting_of_ref, required: true, coerce: String
+      property :observed_data_refs, coerce: Array[String]
+      property :where_sighted_refs, coerce: Array[String]
+      property :summary, coerce: ->(v){ is_boolean?(v) }
+    end
+  end
+end

data/lib/stix2/storage.rb

@@ -0,0 +1,23 @@
+module Stix2
+  @@storage = nil
+
+  def self.storage_add(obj)
+    @@storage && @@storage[obj.id.to_s] = obj
+  end
+
+  def self.storage_activate
+    @@storage = {}
+  end
+
+  def self.storage_deactivate
+    @storage = nil
+  end
+
+  def self.storage_find(id)
+    @@storage[id.to_s]
+  end
+
+  def self.storage
+    @@storage
+  end
+end

data/lib/stix2/version.rb

@@ -0,0 +1,3 @@
+module Stix2
+  VERSION = '0.1.0'
+end

data/lib/stix2.rb

@@ -0,0 +1,101 @@
+require 'hashie'
+require 'json'
+require 'time'
+
+require 'stix2/version'
+require 'stix2/boolean'
+require 'stix2/external_reference'
+require 'stix2/identifier'
+require 'stix2/kill_chain_phase'
+require 'stix2/ov'
+require 'stix2/enum'
+
+require 'stix2/meta_objects/data_markings/granular_marking'
+require 'stix2/meta_objects/data_markings/object_marking'
+
+require 'stix2/common'
+require 'stix2/domain_objects/base'
+require 'stix2/domain_objects/attack_pattern'
+require 'stix2/domain_objects/campaign'
+require 'stix2/domain_objects/course_of_action'
+require 'stix2/domain_objects/grouping'
+require 'stix2/domain_objects/identity'
+require 'stix2/domain_objects/indicator'
+require 'stix2/domain_objects/infrastructure'
+require 'stix2/domain_objects/intrusion-set'
+require 'stix2/domain_objects/location'
+require 'stix2/domain_objects/malware'
+require 'stix2/domain_objects/malware_analysis'
+require 'stix2/domain_objects/note'
+require 'stix2/domain_objects/observed_data'
+require 'stix2/domain_objects/opinion'
+require 'stix2/domain_objects/report'
+require 'stix2/domain_objects/threat_actor'
+require 'stix2/domain_objects/tool'
+require 'stix2/domain_objects/vulnerability'
+
+require 'stix2/relationship_objects/base'
+require 'stix2/relationship_objects/relationship'
+require 'stix2/relationship_objects/sighting'
+
+require 'stix2/cyberobservable_objects/base'
+require 'stix2/cyberobservable_objects/artifact'
+require 'stix2/cyberobservable_objects/autonomous_system'
+require 'stix2/cyberobservable_objects/directory'
+require 'stix2/cyberobservable_objects/domain_name'
+require 'stix2/cyberobservable_objects/email_addr'
+require 'stix2/cyberobservable_objects/email_mime_part_type'
+require 'stix2/cyberobservable_objects/email_message'
+require 'stix2/cyberobservable_objects/file'
+require 'stix2/cyberobservable_objects/ipv4_addr'
+require 'stix2/cyberobservable_objects/ipv6_addr'
+require 'stix2/cyberobservable_objects/mac_addr'
+require 'stix2/cyberobservable_objects/mutex'
+require 'stix2/cyberobservable_objects/network_traffic'
+require 'stix2/cyberobservable_objects/software'
+require 'stix2/cyberobservable_objects/url'
+require 'stix2/cyberobservable_objects/user_account'
+require 'stix2/cyberobservable_objects/windows_registry_value'
+require 'stix2/cyberobservable_objects/windows_registry_key'
+require 'stix2/cyberobservable_objects/x509_v3_extension_type'
+require 'stix2/cyberobservable_objects/x509_certificate'
+
+require 'stix2/meta_objects/base'
+require 'stix2/meta_objects/language_content'
+
+require 'stix2/meta_objects/data_markings/base'
+require 'stix2/meta_objects/data_markings/marking_definition'
+
+require 'stix2/bundle'
+
+require 'stix2/storage'
+
+class Time
+  class <<self
+    alias :coerce :parse
+  end
+end
+
+module Stix2
+  def self.parse(options)
+    case options
+    when String
+      options_ = JSON.parse(options)
+    when Hash
+      options_ = options.clone
+    else
+      options_ = JSON.parse(options.to_s)
+    end
+    Hashie.symbolize_keys!(options_)
+    type = options_[:type]
+    raise("Property 'type' is missing") if !type
+    # Let's try to guess the domain of the object, among the known ones
+    ['DomainObject', 'RelationshipObject', 'CyberobservableObject', 'MetaObject', 
+      'MetaObject::DataMarking'].each do |family|
+      class_name = "Stix2::#{family}::#{type.split('-').map(&:capitalize).join}"
+      return Module.const_get(class_name).new(options_) if Module.const_defined?(class_name)
+    end
+    raise("Message unsupported: #{type}")
+  end
+end
+

data/ruby-stix2.gemspec

@@ -0,0 +1,27 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'stix2/version'
+
+Gem::Specification.new do |spec|
+  spec.name        = "ruby-stix2"
+  spec.version     = Stix2::VERSION
+  spec.summary     = "Ruby implementation for the STIX protocol version 2"
+  spec.description = "Ruby implementation for the STIX protocol version 2"
+  spec.authors     = ["Dario Lombardo"]
+  spec.email       = "lomato@gmail.com"
+
+  spec.require_paths = ['lib']
+  spec.files       = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.homepage    = "https://rubygemspec.org/gems/stix2"
+  spec.license     = "GPL-2.0-or-later"
+
+  spec.add_dependency 'hashie', '~> 5.0.0'
+
+  spec.add_development_dependency 'bundler', '~> 2.3'
+  spec.add_development_dependency 'rake', '~> 13.0'
+  spec.add_development_dependency 'pry', '~> 0.13.0'
+  spec.add_development_dependency 'pry-byebug', '~> 3.10.1'
+  spec.add_development_dependency 'minitest', '~> 5.18.1'
+  spec.add_development_dependency 'simplecov', '~> 0.22.0'
+end