ruby-stix2 0.1.1 → 0.1.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.github/workflows/build.yml +4 -3
- data/Gemfile +1 -1
- data/Gemfile.lock +48 -1
- data/README.md +1 -1
- data/lib/stix2/bundle.rb +5 -2
- data/lib/stix2/common.rb +47 -30
- data/lib/stix2/confidence_scale.rb +38 -38
- data/lib/stix2/custom_object.rb +5 -5
- data/lib/stix2/cyberobservable_objects/artifact.rb +1 -1
- data/lib/stix2/cyberobservable_objects/directory.rb +1 -1
- data/lib/stix2/cyberobservable_objects/domain_name.rb +1 -1
- data/lib/stix2/cyberobservable_objects/email_message.rb +7 -7
- data/lib/stix2/cyberobservable_objects/file.rb +2 -2
- data/lib/stix2/cyberobservable_objects/ipv4_addr.rb +4 -4
- data/lib/stix2/cyberobservable_objects/ipv6_addr.rb +4 -4
- data/lib/stix2/cyberobservable_objects/network_traffic.rb +3 -3
- data/lib/stix2/cyberobservable_objects/process.rb +3 -3
- data/lib/stix2/cyberobservable_objects/software.rb +1 -1
- data/lib/stix2/cyberobservable_objects/user_account.rb +4 -4
- data/lib/stix2/cyberobservable_objects/x509_certificate.rb +3 -3
- data/lib/stix2/domain_objects/attack_pattern.rb +3 -3
- data/lib/stix2/domain_objects/campaign.rb +1 -1
- data/lib/stix2/domain_objects/grouping.rb +1 -1
- data/lib/stix2/domain_objects/identity.rb +1 -1
- data/lib/stix2/domain_objects/indicator.rb +2 -2
- data/lib/stix2/domain_objects/infrastructure.rb +3 -3
- data/lib/stix2/domain_objects/intrusion-set.rb +3 -3
- data/lib/stix2/domain_objects/malware.rb +9 -9
- data/lib/stix2/domain_objects/malware_analysis.rb +3 -3
- data/lib/stix2/domain_objects/note.rb +2 -2
- data/lib/stix2/domain_objects/observed_data.rb +1 -1
- data/lib/stix2/domain_objects/opinion.rb +2 -2
- data/lib/stix2/domain_objects/report.rb +2 -2
- data/lib/stix2/domain_objects/threat_actor.rb +6 -6
- data/lib/stix2/domain_objects/tool.rb +3 -3
- data/lib/stix2/enum.rb +60 -60
- data/lib/stix2/extension_definition.rb +2 -2
- data/lib/stix2/extensions/alternate_data_stream_type.rb +1 -1
- data/lib/stix2/extensions/archive_file.rb +2 -2
- data/lib/stix2/extensions/icmp.rb +2 -2
- data/lib/stix2/extensions/ntfs.rb +2 -2
- data/lib/stix2/extensions/pdf.rb +2 -2
- data/lib/stix2/extensions/socket.rb +3 -3
- data/lib/stix2/extensions/unix_account.rb +1 -1
- data/lib/stix2/extensions/windows_pe_optional_header_type.rb +7 -7
- data/lib/stix2/extensions/windows_pe_section_type.rb +1 -1
- data/lib/stix2/extensions/windows_pebinary.rb +7 -7
- data/lib/stix2/extensions/windows_process.rb +2 -2
- data/lib/stix2/extensions/windows_service.rb +2 -2
- data/lib/stix2/external_reference.rb +1 -1
- data/lib/stix2/languages.rb +233 -233
- data/lib/stix2/meta_objects/data_markings/granular_marking.rb +1 -1
- data/lib/stix2/meta_objects/data_markings/marking_definition.rb +2 -2
- data/lib/stix2/meta_objects/data_markings/object_marking.rb +1 -1
- data/lib/stix2/meta_objects/language_content.rb +1 -1
- data/lib/stix2/ov.rb +263 -258
- data/lib/stix2/relationship_objects/relationship.rb +155 -2
- data/lib/stix2/relationship_objects/sighting.rb +3 -3
- data/lib/stix2/version.rb +1 -1
- data/lib/stix2.rb +90 -90
- data/ruby-stix2.gemspec +23 -23
- metadata +32 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 1325e9bc73496954969bda48fbd2a096c63be31098e6207d72c8260e23a5118f
|
|
4
|
+
data.tar.gz: d3e59d85404608530150a0fce245f79a0de28598f0daa14bc68e96c598d623e9
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 4fa484ea080ce69d832a71fc45c27dc081385f769895fbbf345ef1eb81109982fa5b1b4bb187b1da6104dc1ee37acf75183164b2b11160609cb607db1c4976d7
|
|
7
|
+
data.tar.gz: 68ca00c8308ca9d3fd1b978ecd0525d81f169f4b85d21b03eef9ead386e7f0d4228a594755b442c77ea9c1f6ef1b4bf673c47834e71171fad725853cf30c9dca
|
data/.github/workflows/build.yml
CHANGED
|
@@ -10,11 +10,11 @@ jobs:
|
|
|
10
10
|
strategy:
|
|
11
11
|
matrix:
|
|
12
12
|
os: [ubuntu-latest, windows-latest]
|
|
13
|
-
ruby: ['
|
|
13
|
+
ruby: ['3.0', '3.1', '3.2', '3.3', head]
|
|
14
14
|
runs-on: ${{ matrix.os }}
|
|
15
15
|
permissions: write-all
|
|
16
16
|
steps:
|
|
17
|
-
- uses: actions/checkout@
|
|
17
|
+
- uses: actions/checkout@v4
|
|
18
18
|
- name: Set up Ruby
|
|
19
19
|
uses: ruby/setup-ruby@v1
|
|
20
20
|
with:
|
|
@@ -22,9 +22,10 @@ jobs:
|
|
|
22
22
|
bundler: latest
|
|
23
23
|
- run: bundle
|
|
24
24
|
- run: bundle exec rake test
|
|
25
|
+
- run: bundle exec standardrb
|
|
25
26
|
- name: SimpleCov Ruby ${{ matrix.ruby }}
|
|
26
27
|
uses: joshmfrankel/simplecov-check-action@main
|
|
27
|
-
if: ${{ matrix.os == 'ubuntu-latest' && matrix.ruby == '3.
|
|
28
|
+
if: ${{ matrix.os == 'ubuntu-latest' && matrix.ruby == '3.2' }}
|
|
28
29
|
with:
|
|
29
30
|
github_token: ${{ secrets.GITHUB_TOKEN }}
|
|
30
31
|
check_job_name: SimpleCov ${{ matrix.ruby }}
|
data/Gemfile
CHANGED
data/Gemfile.lock
CHANGED
|
@@ -1,12 +1,13 @@
|
|
|
1
1
|
PATH
|
|
2
2
|
remote: .
|
|
3
3
|
specs:
|
|
4
|
-
ruby-stix2 (0.1.
|
|
4
|
+
ruby-stix2 (0.1.3)
|
|
5
5
|
hashie (~> 5.0.0)
|
|
6
6
|
|
|
7
7
|
GEM
|
|
8
8
|
remote: https://rubygems.org/
|
|
9
9
|
specs:
|
|
10
|
+
ast (2.4.2)
|
|
10
11
|
byebug (11.1.3)
|
|
11
12
|
coderay (1.1.3)
|
|
12
13
|
docile (1.4.0)
|
|
@@ -14,23 +15,67 @@ GEM
|
|
|
14
15
|
io-console (0.6.0)
|
|
15
16
|
irb (1.7.0)
|
|
16
17
|
reline (>= 0.3.0)
|
|
18
|
+
json (2.7.2)
|
|
19
|
+
language_server-protocol (3.17.0.3)
|
|
20
|
+
lint_roller (1.1.0)
|
|
17
21
|
method_source (1.0.0)
|
|
18
22
|
minitest (5.18.1)
|
|
23
|
+
mutex_m (0.2.0)
|
|
24
|
+
parallel (1.24.0)
|
|
25
|
+
parser (3.3.0.5)
|
|
26
|
+
ast (~> 2.4.1)
|
|
27
|
+
racc
|
|
19
28
|
pry (0.13.1)
|
|
20
29
|
coderay (~> 1.1)
|
|
21
30
|
method_source (~> 1.0)
|
|
22
31
|
pry-byebug (3.10.1)
|
|
23
32
|
byebug (~> 11.0)
|
|
24
33
|
pry (>= 0.13, < 0.15)
|
|
34
|
+
racc (1.7.3)
|
|
35
|
+
rainbow (3.1.1)
|
|
25
36
|
rake (13.0.6)
|
|
37
|
+
regexp_parser (2.9.0)
|
|
26
38
|
reline (0.3.5)
|
|
27
39
|
io-console (~> 0.5)
|
|
40
|
+
rexml (3.2.6)
|
|
41
|
+
rubocop (1.62.1)
|
|
42
|
+
json (~> 2.3)
|
|
43
|
+
language_server-protocol (>= 3.17.0)
|
|
44
|
+
parallel (~> 1.10)
|
|
45
|
+
parser (>= 3.3.0.2)
|
|
46
|
+
rainbow (>= 2.2.2, < 4.0)
|
|
47
|
+
regexp_parser (>= 1.8, < 3.0)
|
|
48
|
+
rexml (>= 3.2.5, < 4.0)
|
|
49
|
+
rubocop-ast (>= 1.31.1, < 2.0)
|
|
50
|
+
ruby-progressbar (~> 1.7)
|
|
51
|
+
unicode-display_width (>= 2.4.0, < 3.0)
|
|
52
|
+
rubocop-ast (1.31.2)
|
|
53
|
+
parser (>= 3.3.0.4)
|
|
54
|
+
rubocop-performance (1.20.2)
|
|
55
|
+
rubocop (>= 1.48.1, < 2.0)
|
|
56
|
+
rubocop-ast (>= 1.30.0, < 2.0)
|
|
57
|
+
ruby-progressbar (1.13.0)
|
|
28
58
|
simplecov (0.22.0)
|
|
29
59
|
docile (~> 1.1)
|
|
30
60
|
simplecov-html (~> 0.11)
|
|
31
61
|
simplecov_json_formatter (~> 0.1)
|
|
32
62
|
simplecov-html (0.12.3)
|
|
33
63
|
simplecov_json_formatter (0.1.4)
|
|
64
|
+
standard (1.35.1)
|
|
65
|
+
language_server-protocol (~> 3.17.0.2)
|
|
66
|
+
lint_roller (~> 1.0)
|
|
67
|
+
rubocop (~> 1.62.0)
|
|
68
|
+
standard-custom (~> 1.0.0)
|
|
69
|
+
standard-performance (~> 1.3)
|
|
70
|
+
standard-custom (1.0.2)
|
|
71
|
+
lint_roller (~> 1.0)
|
|
72
|
+
rubocop (~> 1.50)
|
|
73
|
+
standard-performance (1.3.1)
|
|
74
|
+
lint_roller (~> 1.1)
|
|
75
|
+
rubocop-performance (~> 1.20.2)
|
|
76
|
+
standardrb (1.0.1)
|
|
77
|
+
standard
|
|
78
|
+
unicode-display_width (2.5.0)
|
|
34
79
|
|
|
35
80
|
PLATFORMS
|
|
36
81
|
x86_64-linux
|
|
@@ -39,11 +84,13 @@ DEPENDENCIES
|
|
|
39
84
|
bundler (~> 2.3)
|
|
40
85
|
irb (~> 1.7.0)
|
|
41
86
|
minitest (~> 5.18.1)
|
|
87
|
+
mutex_m (~> 0.2.0)
|
|
42
88
|
pry (~> 0.13.0)
|
|
43
89
|
pry-byebug (~> 3.10.1)
|
|
44
90
|
rake (~> 13.0)
|
|
45
91
|
ruby-stix2!
|
|
46
92
|
simplecov (~> 0.22.0)
|
|
93
|
+
standardrb (~> 1.0.1)
|
|
47
94
|
|
|
48
95
|
BUNDLED WITH
|
|
49
96
|
2.3.26
|
data/README.md
CHANGED
|
@@ -146,7 +146,7 @@ scales. To make this conversion smooth, an object offers the method `confidence_
|
|
|
146
146
|
indicator = Stix2::DomainObject::Indicator.new(confidence: i)
|
|
147
147
|
indicator.confidence # This is the raw integer
|
|
148
148
|
indicator.confidence_scale.to_admiralty_credibility # this is a string in this scale
|
|
149
|
-
indicator.confidence_scale.
|
|
149
|
+
indicator.confidence_scale.to_admiralty_credibility_stix # this is a string in stix mode
|
|
150
150
|
```
|
|
151
151
|
|
|
152
152
|
# Contribution
|
data/lib/stix2/bundle.rb
CHANGED
|
@@ -1,7 +1,10 @@
|
|
|
1
1
|
module Stix2
|
|
2
2
|
class Bundle < Stix2::Common
|
|
3
3
|
property :type, required: true, coerce: String
|
|
4
|
-
property :
|
|
5
|
-
|
|
4
|
+
property :objects, coerce: ->(array) do
|
|
5
|
+
array.all? do |element|
|
|
6
|
+
element.is_a?(::Stix2::Common) || Stix2.parse(element).is_a?(::Stix2::Common) || raise("Invalid Object")
|
|
7
|
+
end && array
|
|
8
|
+
end
|
|
6
9
|
end
|
|
7
10
|
end
|
data/lib/stix2/common.rb
CHANGED
|
@@ -1,33 +1,44 @@
|
|
|
1
|
+
require "securerandom"
|
|
2
|
+
|
|
1
3
|
module Stix2
|
|
2
|
-
SPEC_VERSIONS = [
|
|
4
|
+
SPEC_VERSIONS = ["2.1"]
|
|
5
|
+
UUID_NAMESPACE = "00abedb4-aa42-466c-9c01-fed23315a9b7"
|
|
3
6
|
|
|
4
7
|
class Common < Stix2::Base
|
|
8
|
+
include Hashie::Extensions::Dash::PropertyTranslation
|
|
5
9
|
property :type, required: true, coerce: String
|
|
6
|
-
property :spec_version, coerce: String, values: Stix2::SPEC_VERSIONS
|
|
7
|
-
property :id, coerce: Identifier
|
|
10
|
+
property :spec_version, coerce: String, values: Stix2::SPEC_VERSIONS, default: SPEC_VERSIONS.last
|
|
11
|
+
property :id, coerce: Identifier, required: true
|
|
8
12
|
property :created_by_ref, coerce: Identifier
|
|
9
13
|
property :created, coerce: Time
|
|
10
14
|
property :modified, coerce: Time
|
|
11
|
-
property :revoked, coerce: ->(value){ Stix2.to_bool(value) }
|
|
12
|
-
property :labels, coerce:
|
|
13
|
-
property :confidence, coerce: ->(value){
|
|
15
|
+
property :revoked, coerce: ->(value) { Stix2.to_bool(value) }
|
|
16
|
+
property :labels, coerce: [String]
|
|
17
|
+
property :confidence, coerce: ->(value) {
|
|
18
|
+
int = Integer(value)
|
|
19
|
+
[0..100].include?(int)
|
|
20
|
+
int
|
|
21
|
+
}
|
|
14
22
|
property :lang, coerce: String
|
|
15
|
-
property :external_references, coerce:
|
|
16
|
-
property :object_marking_refs, coerce:
|
|
17
|
-
property :granular_markings, coerce:
|
|
18
|
-
property :defanged, coerce: ->(value){ Stix2.to_bool(value) }
|
|
23
|
+
property :external_references, coerce: [ExternalReference]
|
|
24
|
+
property :object_marking_refs, coerce: [Stix2::MetaObject::DataMarking::ObjectMarking]
|
|
25
|
+
property :granular_markings, coerce: [MetaObject::DataMarking::GranularMarking]
|
|
26
|
+
property :defanged, coerce: ->(value) { Stix2.to_bool(value) }
|
|
19
27
|
property :extensions, coerce: Hash
|
|
20
28
|
|
|
21
29
|
def initialize(options = {})
|
|
22
30
|
Hashie.symbolize_keys!(options)
|
|
23
|
-
type = to_dash(self.class.name.split(
|
|
31
|
+
type = to_dash(self.class.name.split("::").last)
|
|
24
32
|
if options[:type]
|
|
25
|
-
if !options[:type].start_with?(
|
|
33
|
+
if !options[:type].start_with?("x-") && options[:type] != type
|
|
26
34
|
raise("Property 'type' must be '#{type}'")
|
|
27
35
|
end
|
|
28
36
|
else
|
|
29
37
|
options[:type] = type
|
|
30
38
|
end
|
|
39
|
+
|
|
40
|
+
options[:id] ||= "#{type}--#{SecureRandom.uuid}"
|
|
41
|
+
|
|
31
42
|
process_toplevel_property_extension(options[:extensions])
|
|
32
43
|
super(options)
|
|
33
44
|
process_extensions(options)
|
|
@@ -35,19 +46,23 @@ module Stix2
|
|
|
35
46
|
end
|
|
36
47
|
|
|
37
48
|
def method_missing(m, *args, &block)
|
|
38
|
-
if !m.to_s.end_with?(
|
|
49
|
+
if !m.to_s.end_with?("_instance")
|
|
39
50
|
# :nocov:
|
|
40
51
|
super(m, args, block)
|
|
41
52
|
return
|
|
42
53
|
# :nocov:
|
|
43
54
|
end
|
|
44
55
|
# Retrieve the original method
|
|
45
|
-
ref_method = m.to_s.gsub(/_instance$/,
|
|
56
|
+
ref_method = m.to_s.gsub(/_instance$/, "")
|
|
46
57
|
obj = send(ref_method)
|
|
47
58
|
raise("Can't get a Stix2::Identifier from #{ref_method}") if !obj.is_a?(Stix2::Identifier)
|
|
48
59
|
Stix2::Storage.find(obj)
|
|
49
60
|
end
|
|
50
61
|
|
|
62
|
+
def respond_to_missing?(method_name, include_private = false)
|
|
63
|
+
method_name.to_s.start_with?("_instance") || super
|
|
64
|
+
end
|
|
65
|
+
|
|
51
66
|
def confidence_scale
|
|
52
67
|
Stix2::ConfidenceScale.new(confidence)
|
|
53
68
|
end
|
|
@@ -63,20 +78,22 @@ module Stix2
|
|
|
63
78
|
excess.empty? || raise("Invalid values: #{excess}")
|
|
64
79
|
list
|
|
65
80
|
end
|
|
81
|
+
private_class_method :validate_array
|
|
66
82
|
|
|
67
83
|
def self.hash_dict(hsh)
|
|
68
84
|
validate_array(hsh.keys, HASH_ALGORITHM_OV)
|
|
69
85
|
hsh
|
|
70
86
|
end
|
|
87
|
+
private_class_method :hash_dict
|
|
71
88
|
|
|
72
89
|
def process_toplevel_property_extension(extensions)
|
|
73
|
-
extension_definition = extensions&.find{ |key, val| key.to_s.start_with?(
|
|
90
|
+
extension_definition = extensions&.find { |key, val| key.to_s.start_with?("extension-definition") }
|
|
74
91
|
return if !extension_definition
|
|
75
92
|
|
|
76
93
|
id = extension_definition.first
|
|
77
94
|
type = extension_definition.last[:extension_type]
|
|
78
|
-
if type ==
|
|
79
|
-
Stix2::Storage.active? || raise(
|
|
95
|
+
if type == "toplevel-property-extension"
|
|
96
|
+
Stix2::Storage.active? || raise("Stix.storage must be active to use toplevel-property-extension")
|
|
80
97
|
ext = Stix2::Storage.find(id)
|
|
81
98
|
ext.extension_properties.each do |prop|
|
|
82
99
|
self.class.class_eval do
|
|
@@ -90,32 +107,32 @@ module Stix2
|
|
|
90
107
|
options[:extensions]&.each do |id, value|
|
|
91
108
|
case id.to_s
|
|
92
109
|
when /[A-Z]/
|
|
93
|
-
raise(
|
|
94
|
-
when
|
|
110
|
+
raise("Invalid extension name format.")
|
|
111
|
+
when "archive-ext"
|
|
95
112
|
extensions[id] = Stix2::Extensions::ArchiveFile.new(value)
|
|
96
113
|
when /^extension-definition/
|
|
97
114
|
# Ignore it, already processes
|
|
98
|
-
when
|
|
115
|
+
when "socket-ext"
|
|
99
116
|
extensions[id] = Stix2::Extensions::Socket.new(value)
|
|
100
|
-
when
|
|
117
|
+
when "icmp-ext"
|
|
101
118
|
extensions[id] = Stix2::Extensions::Icmp.new(value)
|
|
102
|
-
when
|
|
119
|
+
when "http-request-ext"
|
|
103
120
|
extensions[id] = Stix2::Extensions::HttpRequest.new(value)
|
|
104
|
-
when
|
|
121
|
+
when "ntfs-ext"
|
|
105
122
|
extensions[id] = Stix2::Extensions::Ntfs.new(value)
|
|
106
|
-
when
|
|
123
|
+
when "tcp-ext"
|
|
107
124
|
extensions[id] = Stix2::Extensions::Tcp.new(value)
|
|
108
|
-
when
|
|
125
|
+
when "windows-process-ext"
|
|
109
126
|
extensions[id] = Stix2::Extensions::WindowsProcess.new(value)
|
|
110
|
-
when
|
|
127
|
+
when "windows-service-ext"
|
|
111
128
|
extensions[id] = Stix2::Extensions::WindowsService.new(value)
|
|
112
|
-
when
|
|
129
|
+
when "unix-account-ext"
|
|
113
130
|
extensions[id] = Stix2::Extensions::UnixAccount.new(value)
|
|
114
|
-
when
|
|
131
|
+
when "pdf-ext"
|
|
115
132
|
extensions[id] = Stix2::Extensions::Pdf.new(value)
|
|
116
|
-
when
|
|
133
|
+
when "raster-image-ext"
|
|
117
134
|
extensions[id] = Stix2::Extensions::RasterImage.new(value)
|
|
118
|
-
when
|
|
135
|
+
when "windows-pebinary-ext"
|
|
119
136
|
extensions[id] = Stix2::Extensions::WindowsPebinary.new(value)
|
|
120
137
|
else
|
|
121
138
|
# Ensure we have a hash
|
|
@@ -1,52 +1,52 @@
|
|
|
1
1
|
module Stix2
|
|
2
2
|
class ConfidenceScale
|
|
3
3
|
SCALE_NONE_LOW_MED_HIGH = {
|
|
4
|
-
0..0 => {
|
|
5
|
-
1..29 => {
|
|
6
|
-
30..69 => {
|
|
7
|
-
70..100 => {
|
|
4
|
+
0..0 => {scale: "None", stix: 0},
|
|
5
|
+
1..29 => {scale: "Low", stix: 15},
|
|
6
|
+
30..69 => {scale: "Med", stix: 50},
|
|
7
|
+
70..100 => {scale: "High", stix: 85}
|
|
8
8
|
}.freeze
|
|
9
9
|
|
|
10
10
|
SCALE_0_10 = {
|
|
11
|
-
0..4 => {
|
|
12
|
-
5..14 => {
|
|
13
|
-
15..24 => {
|
|
14
|
-
25..34 => {
|
|
15
|
-
35..44 => {
|
|
16
|
-
45..54 => {
|
|
17
|
-
55..64 => {
|
|
18
|
-
65..74 => {
|
|
19
|
-
75..84 => {
|
|
20
|
-
85..94 => {
|
|
21
|
-
95..100 => {
|
|
11
|
+
0..4 => {scale: 0, stix: 0},
|
|
12
|
+
5..14 => {scale: 1, stix: 10},
|
|
13
|
+
15..24 => {scale: 2, stix: 20},
|
|
14
|
+
25..34 => {scale: 3, stix: 30},
|
|
15
|
+
35..44 => {scale: 4, stix: 40},
|
|
16
|
+
45..54 => {scale: 5, stix: 50},
|
|
17
|
+
55..64 => {scale: 6, stix: 60},
|
|
18
|
+
65..74 => {scale: 7, stix: 70},
|
|
19
|
+
75..84 => {scale: 8, stix: 80},
|
|
20
|
+
85..94 => {scale: 9, stix: 90},
|
|
21
|
+
95..100 => {scale: 10, stix: 100}
|
|
22
22
|
}.freeze
|
|
23
23
|
|
|
24
24
|
SCALE_ADMIRALTY_CREDIBILITY = {
|
|
25
|
-
0..19 => {
|
|
26
|
-
20..39 => {
|
|
27
|
-
40..59 => {
|
|
28
|
-
60..79 => {
|
|
29
|
-
80..100 => {
|
|
25
|
+
0..19 => {scale: 5, stix: 10},
|
|
26
|
+
20..39 => {scale: 4, stix: 30},
|
|
27
|
+
40..59 => {scale: 3, stix: 50},
|
|
28
|
+
60..79 => {scale: 2, stix: 70},
|
|
29
|
+
80..100 => {scale: 1, stix: 90}
|
|
30
30
|
}.freeze
|
|
31
31
|
|
|
32
32
|
SCALE_WEP = {
|
|
33
|
-
0..0 => {
|
|
34
|
-
1..19 => {
|
|
35
|
-
20..39 => {
|
|
36
|
-
40..59 => {
|
|
37
|
-
60..79 => {
|
|
38
|
-
80..99 => {
|
|
39
|
-
100..100 => {
|
|
33
|
+
0..0 => {scale: "Impossible", stix: 0},
|
|
34
|
+
1..19 => {scale: "Highly Unlikely/Almost Certainly Not", stix: 10},
|
|
35
|
+
20..39 => {scale: "Unlikely/Probably Not", stix: 30},
|
|
36
|
+
40..59 => {scale: "Even Chance", stix: 50},
|
|
37
|
+
60..79 => {scale: "Likely/Probable", stix: 70},
|
|
38
|
+
80..99 => {scale: "Highly likely/Almost Certain", stix: 90},
|
|
39
|
+
100..100 => {scale: "Certain", stix: 100}
|
|
40
40
|
}.freeze
|
|
41
41
|
|
|
42
42
|
SCALE_DNI = {
|
|
43
|
-
0..9 => {
|
|
44
|
-
10..19 => {
|
|
45
|
-
20..39 => {
|
|
46
|
-
40..59 => {
|
|
47
|
-
60..79 => {
|
|
48
|
-
80..89 => {
|
|
49
|
-
90..100 => {
|
|
43
|
+
0..9 => {scale: "Almost No Chance / Remote", stix: 5},
|
|
44
|
+
10..19 => {scale: "Very Unlikely / Highly Improbable", stix: 15},
|
|
45
|
+
20..39 => {scale: "Unlikely / Improbable", stix: 30},
|
|
46
|
+
40..59 => {scale: "Roughly Even Chance / Roughly Even Odds", stix: 50},
|
|
47
|
+
60..79 => {scale: "Likely / Probable", stix: 70},
|
|
48
|
+
80..89 => {scale: "Very Likely / Highly Probable", stix: 85},
|
|
49
|
+
90..100 => {scale: "Almost Certain / Nearly Certain", stix: 95}
|
|
50
50
|
}.freeze
|
|
51
51
|
|
|
52
52
|
def initialize(value = nil)
|
|
@@ -54,12 +54,12 @@ module Stix2
|
|
|
54
54
|
end
|
|
55
55
|
|
|
56
56
|
def to_none_low_med_high
|
|
57
|
-
!@value &&
|
|
57
|
+
!@value && "Not Specified"
|
|
58
58
|
find_range(SCALE_NONE_LOW_MED_HIGH, :scale)
|
|
59
59
|
end
|
|
60
60
|
|
|
61
61
|
def to_none_low_med_high_stix
|
|
62
|
-
!@value &&
|
|
62
|
+
!@value && "Not Specified"
|
|
63
63
|
find_range(SCALE_NONE_LOW_MED_HIGH, :stix)
|
|
64
64
|
end
|
|
65
65
|
|
|
@@ -99,8 +99,8 @@ module Stix2
|
|
|
99
99
|
private
|
|
100
100
|
|
|
101
101
|
def find_range(constant, type)
|
|
102
|
-
!@value ||
|
|
103
|
-
constant.find{ |k,v| k.cover?(@value) }.last[type]
|
|
102
|
+
!@value || "Not Specified"
|
|
103
|
+
constant.find { |k, v| k.cover?(@value) }.last[type]
|
|
104
104
|
end
|
|
105
105
|
end
|
|
106
106
|
end
|
data/lib/stix2/custom_object.rb
CHANGED
|
@@ -6,12 +6,12 @@ module Stix2
|
|
|
6
6
|
|
|
7
7
|
def initialize(options)
|
|
8
8
|
Hashie.symbolize_keys!(options)
|
|
9
|
-
raise(
|
|
10
|
-
errors = Hash.new{ |k, v| k[v] = [] }
|
|
9
|
+
raise("A CustomObject must have at least one property") if options[:type] && options.count == 1
|
|
10
|
+
errors = Hash.new { |k, v| k[v] = [] }
|
|
11
11
|
options.each do |key, value|
|
|
12
|
-
errors[
|
|
13
|
-
errors[
|
|
14
|
-
errors[
|
|
12
|
+
errors["Too short"] << key if key != :id && key.size < 3
|
|
13
|
+
errors["Invalid name"] << key if !key.match?(/^[a-z0-9_]*$/)
|
|
14
|
+
errors["Too long"] << key if key.size > 250
|
|
15
15
|
end
|
|
16
16
|
raise("Error creating CustomObject: #{errors}") if !errors.empty?
|
|
17
17
|
super(options)
|
|
@@ -4,7 +4,7 @@ module Stix2
|
|
|
4
4
|
property :mime_type, coerce: String
|
|
5
5
|
property :payload_bin, coerce: String
|
|
6
6
|
property :url, coerce: String
|
|
7
|
-
property :hashes, coerce: ->(hsh){ hash_dict(hsh) }
|
|
7
|
+
property :hashes, coerce: ->(hsh) { hash_dict(hsh) }
|
|
8
8
|
property :encryption_algorithm, values: ENCRYPTION_ALGORITHM_ENUM
|
|
9
9
|
property :decryption_key, coerce: String
|
|
10
10
|
end
|
|
@@ -1,20 +1,20 @@
|
|
|
1
1
|
module Stix2
|
|
2
2
|
module CyberobservableObject
|
|
3
3
|
class EmailMessage < Base
|
|
4
|
-
property :is_multipart, required: true, coerce: ->(value){ Stix2.to_bool(value) }
|
|
4
|
+
property :is_multipart, required: true, coerce: ->(value) { Stix2.to_bool(value) }
|
|
5
5
|
property :date, coerce: Time
|
|
6
6
|
property :content_type, coerce: String
|
|
7
7
|
property :from_ref, coerce: Identifier
|
|
8
8
|
property :sender_ref, coerce: Identifier
|
|
9
|
-
property :to_refs, coerce:
|
|
10
|
-
property :cc_refs, coerce:
|
|
11
|
-
property :bcc_refs, coerce:
|
|
9
|
+
property :to_refs, coerce: [Identifier]
|
|
10
|
+
property :cc_refs, coerce: [Identifier]
|
|
11
|
+
property :bcc_refs, coerce: [Identifier]
|
|
12
12
|
property :message_id, coerce: String
|
|
13
13
|
property :subject, coerce: String
|
|
14
|
-
property :received_lines, coerce:
|
|
15
|
-
property :additional_header_fields, coerce:
|
|
14
|
+
property :received_lines, coerce: [String]
|
|
15
|
+
property :additional_header_fields, coerce: {String => String}
|
|
16
16
|
property :body, coerce: String
|
|
17
|
-
property :body_multipart, coerce:
|
|
17
|
+
property :body_multipart, coerce: [EmailMimePartType]
|
|
18
18
|
property :raw_email_ref, coerce: Identifier
|
|
19
19
|
end
|
|
20
20
|
end
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
module Stix2
|
|
2
2
|
module CyberobservableObject
|
|
3
3
|
class File < Base
|
|
4
|
-
property :hashes, coerce: ->(hsh){ hash_dict(hsh) }
|
|
4
|
+
property :hashes, coerce: ->(hsh) { hash_dict(hsh) }
|
|
5
5
|
property :size, coerce: Integer
|
|
6
6
|
property :name, coerce: String
|
|
7
7
|
property :name_enc, coerce: String
|
|
@@ -11,7 +11,7 @@ module Stix2
|
|
|
11
11
|
property :mtime, coerce: String
|
|
12
12
|
property :atime, coerce: String
|
|
13
13
|
property :parent_directory_ref, coerce: Identifier
|
|
14
|
-
property :contains_refs, coerce:
|
|
14
|
+
property :contains_refs, coerce: [Identifier]
|
|
15
15
|
property :content_ref, coerce: Identifier
|
|
16
16
|
end
|
|
17
17
|
end
|
|
@@ -1,11 +1,11 @@
|
|
|
1
|
-
require
|
|
1
|
+
require "ipaddr"
|
|
2
2
|
|
|
3
3
|
module Stix2
|
|
4
4
|
module CyberobservableObject
|
|
5
5
|
class Ipv4Addr < Base
|
|
6
|
-
property :value, required: true, coerce: ->(v){ IPAddr.new(v, Socket::AF_INET).to_s }
|
|
7
|
-
property :resolves_to_refs, coerce:
|
|
8
|
-
property :resolves_to_refs, coerce:
|
|
6
|
+
property :value, required: true, coerce: ->(v) { IPAddr.new(v, Socket::AF_INET).to_s }
|
|
7
|
+
property :resolves_to_refs, coerce: [Identifier]
|
|
8
|
+
property :resolves_to_refs, coerce: [Identifier]
|
|
9
9
|
end
|
|
10
10
|
end
|
|
11
11
|
end
|
|
@@ -1,11 +1,11 @@
|
|
|
1
|
-
require
|
|
1
|
+
require "ipaddr"
|
|
2
2
|
|
|
3
3
|
module Stix2
|
|
4
4
|
module CyberobservableObject
|
|
5
5
|
class Ipv6Addr < Base
|
|
6
|
-
property :value, required: true, coerce: ->(v){ IPAddr.new(v, Socket::AF_INET6).to_s }
|
|
7
|
-
property :resolves_to_refs, coerce:
|
|
8
|
-
property :resolves_to_refs, coerce:
|
|
6
|
+
property :value, required: true, coerce: ->(v) { IPAddr.new(v, Socket::AF_INET6).to_s }
|
|
7
|
+
property :resolves_to_refs, coerce: [Identifier]
|
|
8
|
+
property :resolves_to_refs, coerce: [Identifier]
|
|
9
9
|
end
|
|
10
10
|
end
|
|
11
11
|
end
|
|
@@ -3,12 +3,12 @@ module Stix2
|
|
|
3
3
|
class NetworkTraffic < Base
|
|
4
4
|
property :start, coerce: Time
|
|
5
5
|
property :end, coerce: Time
|
|
6
|
-
property :is_active, coerce: ->(v){ Stix2.to_bool(v) }
|
|
6
|
+
property :is_active, coerce: ->(v) { Stix2.to_bool(v) }
|
|
7
7
|
property :src_ref, coerce: Identifier
|
|
8
8
|
property :dst_ref, coerce: Identifier
|
|
9
9
|
property :src_port, coerce: Integer
|
|
10
10
|
property :dst_port, coerce: Integer
|
|
11
|
-
property :protocols, required: true, coerce:
|
|
11
|
+
property :protocols, required: true, coerce: [String]
|
|
12
12
|
property :src_byte_count, coerce: Integer
|
|
13
13
|
property :dst_byte_count, coerce: Integer
|
|
14
14
|
property :src_packets, coerce: Integer
|
|
@@ -16,7 +16,7 @@ module Stix2
|
|
|
16
16
|
property :ipfix, coerce: Hash
|
|
17
17
|
property :src_payload_ref, coerce: Identifier
|
|
18
18
|
property :dst_payload_ref, coerce: Identifier
|
|
19
|
-
property :encapsulates_refs, coerce:
|
|
19
|
+
property :encapsulates_refs, coerce: [Identifier]
|
|
20
20
|
property :encapsulated_by_ref, coerce: Identifier
|
|
21
21
|
end
|
|
22
22
|
end
|
|
@@ -1,17 +1,17 @@
|
|
|
1
1
|
module Stix2
|
|
2
2
|
module CyberobservableObject
|
|
3
3
|
class Process < Base
|
|
4
|
-
property :is_hidden, coerce: ->(value){ Stix2.to_bool(value) }
|
|
4
|
+
property :is_hidden, coerce: ->(value) { Stix2.to_bool(value) }
|
|
5
5
|
property :pid, coerce: Integer
|
|
6
6
|
property :created_time, coerce: Time
|
|
7
7
|
property :cwd, coerce: String
|
|
8
8
|
property :command_line, coerce: String
|
|
9
9
|
property :environment_variables, coerce: Hash
|
|
10
|
-
property :opened_connection_refs, coerce:
|
|
10
|
+
property :opened_connection_refs, coerce: [Identifier]
|
|
11
11
|
property :creator_user_ref, coerce: Identifier
|
|
12
12
|
property :image_ref, coerce: Identifier
|
|
13
13
|
property :parent_ref, coerce: Identifier
|
|
14
|
-
property :child_refs, coerce:
|
|
14
|
+
property :child_refs, coerce: [Identifier]
|
|
15
15
|
end
|
|
16
16
|
end
|
|
17
17
|
end
|
|
@@ -4,7 +4,7 @@ module Stix2
|
|
|
4
4
|
property :name, required: true, coerce: String
|
|
5
5
|
property :cpe, coerce: String
|
|
6
6
|
property :swid, coerce: String
|
|
7
|
-
property :languages, coerce:
|
|
7
|
+
property :languages, coerce: [String]
|
|
8
8
|
property :vendor, coerce: String
|
|
9
9
|
property :version, coerce: String
|
|
10
10
|
end
|
|
@@ -6,10 +6,10 @@ module Stix2
|
|
|
6
6
|
property :account_login, coerce: String
|
|
7
7
|
property :account_type, values: ACCOUNT_TYPE_OV
|
|
8
8
|
property :display_name, coerce: String
|
|
9
|
-
property :is_service_account, coerce: ->(value){ Stix2.to_bool(value) }
|
|
10
|
-
property :is_privileged, coerce: ->(value){ Stix2.to_bool(value) }
|
|
11
|
-
property :can_escalate_privs, coerce: ->(value){ Stix2.to_bool(value) }
|
|
12
|
-
property :is_disabled, coerce: ->(value){ Stix2.to_bool(value) }
|
|
9
|
+
property :is_service_account, coerce: ->(value) { Stix2.to_bool(value) }
|
|
10
|
+
property :is_privileged, coerce: ->(value) { Stix2.to_bool(value) }
|
|
11
|
+
property :can_escalate_privs, coerce: ->(value) { Stix2.to_bool(value) }
|
|
12
|
+
property :is_disabled, coerce: ->(value) { Stix2.to_bool(value) }
|
|
13
13
|
property :account_created, coerce: Time
|
|
14
14
|
property :account_expires, coerce: Time
|
|
15
15
|
property :credential_last_changed, coerce: Time
|
|
@@ -1,10 +1,10 @@
|
|
|
1
|
-
require
|
|
1
|
+
require "stix2/cyberobservable_objects/x509_v3_extension_type"
|
|
2
2
|
|
|
3
3
|
module Stix2
|
|
4
4
|
module CyberobservableObject
|
|
5
5
|
class X509Certificate < Base
|
|
6
|
-
property :is_self_signed, coerce: ->(v){ Stix2.to_bool(v) }
|
|
7
|
-
property :hashes, coerce: ->(hsh){ hash_dict(hsh) }
|
|
6
|
+
property :is_self_signed, coerce: ->(v) { Stix2.to_bool(v) }
|
|
7
|
+
property :hashes, coerce: ->(hsh) { hash_dict(hsh) }
|
|
8
8
|
property :version, coerce: String
|
|
9
9
|
property :serial_number, coerce: String
|
|
10
10
|
property :signature_algorithm, coerce: String
|