ruby-stix2 0.1.1 → 0.1.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (63) hide show
  1. checksums.yaml +4 -4
  2. data/.github/workflows/build.yml +4 -3
  3. data/Gemfile +1 -1
  4. data/Gemfile.lock +48 -1
  5. data/README.md +1 -1
  6. data/lib/stix2/bundle.rb +5 -2
  7. data/lib/stix2/common.rb +47 -30
  8. data/lib/stix2/confidence_scale.rb +38 -38
  9. data/lib/stix2/custom_object.rb +5 -5
  10. data/lib/stix2/cyberobservable_objects/artifact.rb +1 -1
  11. data/lib/stix2/cyberobservable_objects/directory.rb +1 -1
  12. data/lib/stix2/cyberobservable_objects/domain_name.rb +1 -1
  13. data/lib/stix2/cyberobservable_objects/email_message.rb +7 -7
  14. data/lib/stix2/cyberobservable_objects/file.rb +2 -2
  15. data/lib/stix2/cyberobservable_objects/ipv4_addr.rb +4 -4
  16. data/lib/stix2/cyberobservable_objects/ipv6_addr.rb +4 -4
  17. data/lib/stix2/cyberobservable_objects/network_traffic.rb +3 -3
  18. data/lib/stix2/cyberobservable_objects/process.rb +3 -3
  19. data/lib/stix2/cyberobservable_objects/software.rb +1 -1
  20. data/lib/stix2/cyberobservable_objects/user_account.rb +4 -4
  21. data/lib/stix2/cyberobservable_objects/x509_certificate.rb +3 -3
  22. data/lib/stix2/domain_objects/attack_pattern.rb +3 -3
  23. data/lib/stix2/domain_objects/campaign.rb +1 -1
  24. data/lib/stix2/domain_objects/grouping.rb +1 -1
  25. data/lib/stix2/domain_objects/identity.rb +1 -1
  26. data/lib/stix2/domain_objects/indicator.rb +2 -2
  27. data/lib/stix2/domain_objects/infrastructure.rb +3 -3
  28. data/lib/stix2/domain_objects/intrusion-set.rb +3 -3
  29. data/lib/stix2/domain_objects/malware.rb +9 -9
  30. data/lib/stix2/domain_objects/malware_analysis.rb +3 -3
  31. data/lib/stix2/domain_objects/note.rb +2 -2
  32. data/lib/stix2/domain_objects/observed_data.rb +1 -1
  33. data/lib/stix2/domain_objects/opinion.rb +2 -2
  34. data/lib/stix2/domain_objects/report.rb +2 -2
  35. data/lib/stix2/domain_objects/threat_actor.rb +6 -6
  36. data/lib/stix2/domain_objects/tool.rb +3 -3
  37. data/lib/stix2/enum.rb +60 -60
  38. data/lib/stix2/extension_definition.rb +2 -2
  39. data/lib/stix2/extensions/alternate_data_stream_type.rb +1 -1
  40. data/lib/stix2/extensions/archive_file.rb +2 -2
  41. data/lib/stix2/extensions/icmp.rb +2 -2
  42. data/lib/stix2/extensions/ntfs.rb +2 -2
  43. data/lib/stix2/extensions/pdf.rb +2 -2
  44. data/lib/stix2/extensions/socket.rb +3 -3
  45. data/lib/stix2/extensions/unix_account.rb +1 -1
  46. data/lib/stix2/extensions/windows_pe_optional_header_type.rb +7 -7
  47. data/lib/stix2/extensions/windows_pe_section_type.rb +1 -1
  48. data/lib/stix2/extensions/windows_pebinary.rb +7 -7
  49. data/lib/stix2/extensions/windows_process.rb +2 -2
  50. data/lib/stix2/extensions/windows_service.rb +2 -2
  51. data/lib/stix2/external_reference.rb +1 -1
  52. data/lib/stix2/languages.rb +233 -233
  53. data/lib/stix2/meta_objects/data_markings/granular_marking.rb +1 -1
  54. data/lib/stix2/meta_objects/data_markings/marking_definition.rb +2 -2
  55. data/lib/stix2/meta_objects/data_markings/object_marking.rb +1 -1
  56. data/lib/stix2/meta_objects/language_content.rb +1 -1
  57. data/lib/stix2/ov.rb +263 -258
  58. data/lib/stix2/relationship_objects/relationship.rb +155 -2
  59. data/lib/stix2/relationship_objects/sighting.rb +3 -3
  60. data/lib/stix2/version.rb +1 -1
  61. data/lib/stix2.rb +90 -90
  62. data/ruby-stix2.gemspec +23 -23
  63. metadata +32 -4
data/lib/stix2/ov.rb CHANGED
@@ -1,325 +1,330 @@
1
1
  module Stix2
2
2
  INDICATOR_TYPE_OV = [
3
- 'anomalous-activity',
4
- 'anonymization',
5
- 'benign',
6
- 'compromised',
7
- 'malicious-activity',
8
- 'attribution',
9
- 'unknown'
3
+ "anomalous-activity",
4
+ "anonymization",
5
+ "benign",
6
+ "compromised",
7
+ "malicious-activity",
8
+ "attribution",
9
+ "unknown"
10
10
  ].freeze
11
11
 
12
12
  PATTERN_TYPE_OV = [
13
- 'stix',
14
- 'pcre',
15
- 'sigma',
16
- 'snort',
17
- 'suricata',
18
- 'yara'
13
+ "stix",
14
+ "pcre",
15
+ "sigma",
16
+ "snort",
17
+ "suricata",
18
+ "yara"
19
19
  ].freeze
20
20
 
21
21
  GROUPING_CONTEXT_OV = [
22
- 'suspicious-activity',
23
- 'malware-analysis',
24
- 'unspecified'
22
+ "suspicious-activity",
23
+ "malware-analysis",
24
+ "unspecified"
25
25
  ].freeze
26
26
 
27
27
  IDENTITY_CLASS_OV = [
28
- 'individual',
29
- 'group',
30
- 'system',
31
- 'organization',
32
- 'class',
33
- 'unspecified'
28
+ "individual",
29
+ "group",
30
+ "system",
31
+ "organization",
32
+ "class",
33
+ "unknown"
34
34
  ].freeze
35
35
 
36
36
  INDUSTRY_SECTOR_OV = [
37
- 'agriculture',
38
- 'aerospace',
39
- 'automotive',
40
- 'chemical',
41
- 'commercial',
42
- 'communications',
43
- 'construction',
44
- 'defense',
45
- 'education',
46
- 'energy',
47
- 'entertainment',
48
- 'financial-services',
49
- 'government (emergency-services, government-local, government-national, government-public-services, government-regional)',
50
- 'healthcare',
51
- 'hospitality-leisure',
52
- 'infrastructure (dams, nuclear, water)',
53
- 'insurance',
54
- 'manufacturing',
55
- 'mining',
56
- 'non-profit',
57
- 'pharmaceuticals',
58
- 'retail',
59
- 'technology',
60
- 'telecommunications',
61
- 'transportation',
62
- 'utilities'
37
+ "agriculture",
38
+ "aerospace",
39
+ "automotive",
40
+ "chemical",
41
+ "commercial",
42
+ "communications",
43
+ "construction",
44
+ "defense",
45
+ "education",
46
+ "energy",
47
+ "entertainment",
48
+ "financial-services",
49
+ "government (emergency-services, government-local, government-national, government-public-services, government-regional)",
50
+ "healthcare",
51
+ "hospitality-leisure",
52
+ "infrastructure (dams, nuclear, water)",
53
+ "insurance",
54
+ "manufacturing",
55
+ "mining",
56
+ "non-profit",
57
+ "pharmaceuticals",
58
+ "retail",
59
+ "technology",
60
+ "telecommunications",
61
+ "transportation",
62
+ "utilities"
63
63
  ].freeze
64
64
 
65
65
  MALWARE_TYPE_OV = [
66
- 'adware',
67
- 'backdoor',
68
- 'bot',
69
- 'bootkit',
70
- 'ddos',
71
- 'downloader',
72
- 'dropper',
73
- 'exploit-kit',
74
- 'keylogger',
75
- 'ransomware',
76
- 'remote-access-trojan',
77
- 'resource-exploitation',
78
- 'rogue-security-software',
79
- 'rootkit',
80
- 'screen-capture',
81
- 'spyware',
82
- 'trojan',
83
- 'unknown',
84
- 'virus',
85
- 'webshell',
86
- 'wiper',
87
- 'worm'
66
+ "adware",
67
+ "backdoor",
68
+ "bot",
69
+ "bootkit",
70
+ "ddos",
71
+ "downloader",
72
+ "dropper",
73
+ "exploit-kit",
74
+ "keylogger",
75
+ "ransomware",
76
+ "remote-access-trojan",
77
+ "resource-exploitation",
78
+ "rogue-security-software",
79
+ "rootkit",
80
+ "screen-capture",
81
+ "spyware",
82
+ "trojan",
83
+ "unknown",
84
+ "virus",
85
+ "webshell",
86
+ "wiper",
87
+ "worm"
88
88
  ].freeze
89
89
 
90
90
  PROCESSOR_ARCHITECTURE_OV = [
91
- 'alpha',
92
- 'arm',
93
- 'ia-64',
94
- 'mips',
95
- 'powerpc',
96
- 'sparc',
97
- 'x86',
98
- 'x86-64'
91
+ "alpha",
92
+ "arm",
93
+ "ia-64",
94
+ "mips",
95
+ "powerpc",
96
+ "sparc",
97
+ "x86",
98
+ "x86-64"
99
99
  ].freeze
100
100
 
101
101
  IMPLEMENTATION_LANGUAGE_OV = [
102
- 'applescript',
103
- 'bash',
104
- 'c',
105
- 'c++',
106
- 'c#',
107
- 'go',
108
- 'java',
109
- 'javascript',
110
- 'lua',
111
- 'objective-c',
112
- 'perl',
113
- 'php',
114
- 'powershell',
115
- 'python',
116
- 'ruby',
117
- 'scala',
118
- 'swift',
119
- 'typescript',
120
- 'visual-basic',
121
- 'x86-32',
122
- 'x86-64'
102
+ "applescript",
103
+ "bash",
104
+ "c",
105
+ "c++",
106
+ "c#",
107
+ "go",
108
+ "java",
109
+ "javascript",
110
+ "lua",
111
+ "objective-c",
112
+ "perl",
113
+ "php",
114
+ "powershell",
115
+ "python",
116
+ "ruby",
117
+ "scala",
118
+ "swift",
119
+ "typescript",
120
+ "visual-basic",
121
+ "x86-32",
122
+ "x86-64"
123
123
  ].freeze
124
124
 
125
125
  IMPLEMENTATION_CAPABILITIES_OV = [
126
- 'accesses-remote-machines',
127
- 'anti-debugging',
128
- 'anti-disassembly',
129
- 'anti-emulation',
130
- 'anti-memory-forensics',
131
- 'anti-sandbox',
132
- 'anti-vm',
133
- 'captures-input-peripherals',
134
- 'captures-output-peripherals',
135
- 'captures-system-state-data',
136
- 'cleans-traces-of-infection',
137
- 'commits-fraud',
138
- 'communicates-with-c2',
139
- 'compromises-data-availability',
140
- 'compromises-data-integrity',
141
- 'compromises-system-availability',
142
- 'controls-local-machine',
143
- 'degrades-security-software',
144
- 'degrades-system-updates',
145
- 'determines-c2-server',
146
- 'emails-spam',
147
- 'escalates-privileges',
148
- 'evades-av',
149
- 'exfiltrates-data',
150
- 'fingerprints-host',
151
- 'hides-artifacts',
152
- 'hides-executing-code',
153
- 'infects-files',
154
- 'infects-remote-machines',
155
- 'installs-other-components',
156
- 'persists-after-system-reboot',
157
- 'prevents-artifact-access',
158
- 'prevents-artifact-deletion',
159
- 'probes-network-environment',
160
- 'self-modifies',
161
- 'steals-authentication-credentials',
162
- 'violates-system-operational-integrity'
126
+ "accesses-remote-machines",
127
+ "anti-debugging",
128
+ "anti-disassembly",
129
+ "anti-emulation",
130
+ "anti-memory-forensics",
131
+ "anti-sandbox",
132
+ "anti-vm",
133
+ "captures-input-peripherals",
134
+ "captures-output-peripherals",
135
+ "captures-system-state-data",
136
+ "cleans-traces-of-infection",
137
+ "commits-fraud",
138
+ "communicates-with-c2",
139
+ "compromises-data-availability",
140
+ "compromises-data-integrity",
141
+ "compromises-system-availability",
142
+ "controls-local-machine",
143
+ "degrades-security-software",
144
+ "degrades-system-updates",
145
+ "determines-c2-server",
146
+ "emails-spam",
147
+ "escalates-privileges",
148
+ "evades-av",
149
+ "exfiltrates-data",
150
+ "fingerprints-host",
151
+ "hides-artifacts",
152
+ "hides-executing-code",
153
+ "infects-files",
154
+ "infects-remote-machines",
155
+ "installs-other-components",
156
+ "persists-after-system-reboot",
157
+ "prevents-artifact-access",
158
+ "prevents-artifact-deletion",
159
+ "probes-network-environment",
160
+ "self-modifies",
161
+ "steals-authentication-credentials",
162
+ "violates-system-operational-integrity"
163
163
  ].freeze
164
164
 
165
165
  INFRASTRUCTURE_TYPE_OV = [
166
- 'amplification',
167
- 'anonymization',
168
- 'botnet',
169
- 'command-and-control',
170
- 'exfiltration',
171
- 'hosting-malware',
172
- 'hosting-target-lists',
173
- 'phishing',
174
- 'reconnaissance',
175
- 'staging',
176
- 'undefined'
166
+ "amplification",
167
+ "anonymization",
168
+ "botnet",
169
+ "command-and-control",
170
+ "exfiltration",
171
+ "hosting-malware",
172
+ "hosting-target-lists",
173
+ "phishing",
174
+ "reconnaissance",
175
+ "staging",
176
+ "undefined"
177
177
  ].freeze
178
178
 
179
179
  ATTACK_RESOURCE_LEVEL_OV = [
180
- 'individual',
181
- 'club',
182
- 'contest',
183
- 'team',
184
- 'organization',
185
- 'government'
180
+ "individual",
181
+ "club",
182
+ "contest",
183
+ "team",
184
+ "organization",
185
+ "government"
186
186
  ].freeze
187
187
 
188
188
  ATTACK_MOTIVATION_OV = [
189
- 'accidental',
190
- 'coercion',
191
- 'dominance',
192
- 'ideology',
193
- 'notoriety',
194
- 'organizational-gain',
195
- 'personal-gain',
196
- 'personal-satisfaction',
197
- 'revenge',
198
- 'unpredictable'
189
+ "accidental",
190
+ "coercion",
191
+ "dominance",
192
+ "ideology",
193
+ "notoriety",
194
+ "organizational-gain",
195
+ "personal-gain",
196
+ "personal-satisfaction",
197
+ "revenge",
198
+ "unpredictable"
199
199
  ].freeze
200
200
 
201
201
  REGION_OV = [
202
- 'eastern-africa',
203
- 'middle-africa',
204
- 'northern-africa',
205
- 'southern-africa',
206
- 'western-africa',
207
- 'caribbean',
208
- 'central-america',
209
- 'latin-america-caribbean',
210
- 'northern-america',
211
- 'south-america',
212
- 'central-asia',
213
- 'eastern-asia',
214
- 'southern-asia',
215
- 'south-eastern-asia',
216
- 'western-asia',
217
- 'eastern-europe',
218
- 'northern-europe',
219
- 'southern-europe',
220
- 'western-europe',
221
- 'antarctica',
222
- 'australia-new-zealand',
223
- 'melanesia',
224
- 'micronesia',
225
- 'polynesia'
202
+ "africa",
203
+ "eastern-africa",
204
+ "middle-africa",
205
+ "northern-africa",
206
+ "southern-africa",
207
+ "western-africa",
208
+ "caribbean",
209
+ "central-america",
210
+ "americas",
211
+ "latin-america-caribbean",
212
+ "northern-america",
213
+ "south-america",
214
+ "asia",
215
+ "central-asia",
216
+ "eastern-asia",
217
+ "southern-asia",
218
+ "south-eastern-asia",
219
+ "western-asia",
220
+ "europe",
221
+ "eastern-europe",
222
+ "northern-europe",
223
+ "southern-europe",
224
+ "western-europe",
225
+ "oceania",
226
+ "antarctica",
227
+ "australia-new-zealand",
228
+ "melanesia",
229
+ "micronesia",
230
+ "polynesia"
226
231
  ].freeze
227
232
 
228
233
  MALWARE_RESULT_OV = [
229
- 'malicious',
230
- 'suspicious',
231
- 'benign',
232
- 'unknown'
234
+ "malicious",
235
+ "suspicious",
236
+ "benign",
237
+ "unknown"
233
238
  ].freeze
234
239
 
235
240
  REPORT_TYPE_OV = [
236
- 'attack-pattern',
237
- 'campaign',
238
- 'identity',
239
- 'indicator',
240
- 'intrusion-set',
241
- 'malware',
242
- 'observed-data',
243
- 'threat-actor',
244
- 'threat-report',
245
- 'tool',
246
- 'vulnerability'
241
+ "attack-pattern",
242
+ "campaign",
243
+ "identity",
244
+ "indicator",
245
+ "intrusion-set",
246
+ "malware",
247
+ "observed-data",
248
+ "threat-actor",
249
+ "threat-report",
250
+ "tool",
251
+ "vulnerability"
247
252
  ].freeze
248
253
 
249
254
  THREAT_ACTOR_TYPE_OV = [
250
- 'activist',
251
- 'competitor',
252
- 'crime-syndicate',
253
- 'criminal',
254
- 'hacker',
255
- 'insider-accidental',
256
- 'insider-disgruntled',
257
- 'nation-state',
258
- 'sensationalist',
259
- 'spy',
260
- 'terrorist',
261
- 'unknown'
255
+ "activist",
256
+ "competitor",
257
+ "crime-syndicate",
258
+ "criminal",
259
+ "hacker",
260
+ "insider-accidental",
261
+ "insider-disgruntled",
262
+ "nation-state",
263
+ "sensationalist",
264
+ "spy",
265
+ "terrorist",
266
+ "unknown"
262
267
  ].freeze
263
268
 
264
269
  THREAT_ACTOR_ROLE_OV = [
265
- 'agent',
266
- 'director',
267
- 'independent',
268
- 'infrastructure-architect',
269
- 'infrastructure-operator',
270
- 'malware-author',
271
- 'sponsor'
270
+ "agent",
271
+ "director",
272
+ "independent",
273
+ "infrastructure-architect",
274
+ "infrastructure-operator",
275
+ "malware-author",
276
+ "sponsor"
272
277
  ].freeze
273
278
 
274
279
  THREAT_ACTOR_SOPHISTICATION_OV = [
275
- 'none',
276
- 'minimal',
277
- 'intermediate',
278
- 'advanced',
279
- 'expert',
280
- 'innovator',
281
- 'strategic'
280
+ "none",
281
+ "minimal",
282
+ "intermediate",
283
+ "advanced",
284
+ "expert",
285
+ "innovator",
286
+ "strategic"
282
287
  ].freeze
283
288
 
284
289
  TOOL_TYPES_OV = [
285
- 'denial-of-service',
286
- 'exploitation',
287
- 'information-gathering',
288
- 'network-capture',
289
- 'credential-exploitation',
290
- 'remote-access',
291
- 'vulnerability-scanning',
292
- 'unknown'
290
+ "denial-of-service",
291
+ "exploitation",
292
+ "information-gathering",
293
+ "network-capture",
294
+ "credential-exploitation",
295
+ "remote-access",
296
+ "vulnerability-scanning",
297
+ "unknown"
293
298
  ].freeze
294
299
 
295
300
  HASH_ALGORITHM_OV = [
296
- 'MD5',
297
- 'SHA-1',
298
- 'SHA-256',
299
- 'SHA-512',
300
- 'SHA3-256',
301
- 'SHA3-512',
302
- 'SSDEEP',
303
- 'TLSH'
301
+ "MD5",
302
+ "SHA-1",
303
+ "SHA-256",
304
+ "SHA-512",
305
+ "SHA3-256",
306
+ "SHA3-512",
307
+ "SSDEEP",
308
+ "TLSH"
304
309
  ].freeze
305
310
 
306
311
  ACCOUNT_TYPE_OV = [
307
- 'facebook',
308
- 'ldap',
309
- 'nis',
310
- 'openid',
311
- 'radius',
312
- 'skype',
313
- 'tacacs',
314
- 'twitter',
315
- 'unix',
316
- 'windows-local',
317
- 'windows-domain'
312
+ "facebook",
313
+ "ldap",
314
+ "nis",
315
+ "openid",
316
+ "radius",
317
+ "skype",
318
+ "tacacs",
319
+ "twitter",
320
+ "unix",
321
+ "windows-local",
322
+ "windows-domain"
318
323
  ].freeze
319
324
 
320
325
  WINDOWS_PEBINARY_TYPE_OV = [
321
- 'dll',
322
- 'exe',
323
- 'sys'
326
+ "dll",
327
+ "exe",
328
+ "sys"
324
329
  ].freeze
325
330
  end