ruby-stix2 0.1.0 → 0.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 123ddb57694307c96be2fbdf9a9d9f8c9ac55fbbbf35dc7f71c196aadad728b6
-  data.tar.gz: fff53b71f98c23069d7c3dd0da2a4ca3799f424a162f10629029361b0624800e
+  metadata.gz: f69ada6e1bf635fb01ca7cfed49ed184447e14e8b85c2b5ff14e1640d1f18738
+  data.tar.gz: 56712374f185dc57787679dd8060eb32320cbff393fada2d5285a924bc48b3a1
 SHA512:
-  metadata.gz: e7aae57f5bf2b8415431df88dd2999ed85cfbf56f9f1634e750a0f00a53375c6dff96060ae96a4052eb2efca4471d38ac8244f1824f7f8f03df18ac883430517
-  data.tar.gz: 63a3575a2886265784846dccb94fe8e32f300ca4c3c8006311f27acb19c0dc3a87c792b2aa4530c73b5ce5e1a2fd8064a2bcf50c051778dd743e7f4fa6831d2a
+  metadata.gz: cc04f1a76a4e79f2e57365201e1fdadaa4f29eecb1c61f2e4f7a4be4d9201b238ee36aac3f5c6bd094acc77ae2be8720b41d0e0a8a2b62a52279304c4fc8bb64
+  data.tar.gz: 852ae67a130e1a0338fd0d44af58746caab042d92b7b2bbd3c09c4edba2b0860eb0ff4a2c76a9346c802b8b7a47150e4bfae2b6039b31c082fed9f4da3b7e8ea

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    ruby-stix2 (0.1.0)
+    ruby-stix2 (0.1.1)
       hashie (~> 5.0.0)
 
 GEM
@@ -11,6 +11,9 @@ GEM
     coderay (1.1.3)
     docile (1.4.0)
     hashie (5.0.0)
+    io-console (0.6.0)
+    irb (1.7.0)
+      reline (>= 0.3.0)
     method_source (1.0.0)
     minitest (5.18.1)
     pry (0.13.1)
@@ -20,6 +23,8 @@ GEM
       byebug (~> 11.0)
       pry (>= 0.13, < 0.15)
     rake (13.0.6)
+    reline (0.3.5)
+      io-console (~> 0.5)
     simplecov (0.22.0)
       docile (~> 1.1)
       simplecov-html (~> 0.11)
@@ -32,6 +37,7 @@ PLATFORMS
 
 DEPENDENCIES
   bundler (~> 2.3)
+  irb (~> 1.7.0)
   minitest (~> 5.18.1)
   pry (~> 0.13.0)
   pry-byebug (~> 3.10.1)

data/README.md

@@ -12,7 +12,7 @@ gem install ruby-stix2
 or as part of the bundle
 
 ```
-bundle add typhoeus
+bundle add ruby-stix2
 ```
 
 # Usage
@@ -69,7 +69,7 @@ Stix2 message.
 # Storage
 
 The Stix2 standard has several object types, some of which are containers of other objects (like `Bundle`). However we
-may want to save and retrieve Stix2 objects in a fast way. The gem provides a `storage` support for that.
+may want to save and retrieve Stix2 objects in a fast way. The gem provides a `Stix::Storage` support for that.
 
 For any Stix2 attribute that is an `identifier` (`Stix2::Identifier` in the gem) the class gives one more method called
 `_instance` to retrieve the actual instance. If we have a `threat-actor` like this
@@ -98,7 +98,7 @@ we know that this object has been created by an identity `identity--f431f809-377
 retrieve the other object if already seen
 
 ```ruby
-Stix2.storage_activate # Activate the storage
+Stix2::Storage.activate # Activate the storage
 
 identity = Stix2::DomainObject::Identity.new(id: 'identity--f431f809-377b-45e0-aa1c-6a4751cae5ff', ...)
 threat_actor = Stix2::DomainObject::ThreatActor.new(created_by_ref: 'identity--f431f809-377b-45e0-aa1c-6a4751cae5ff', ...)
@@ -107,6 +107,48 @@ threat_actor.created_by_ref # this gives the identifier => identity--f431f809-37
 threat_actor.created_by_ref_instance # this gives the actual object => Stix2::DomainObject::Identity
 ```
 
+# Spec versions
+
+This gem implements the spec version `2.1`. However older version (especially 2.0) can be compatible. To force the gem
+to accept another spec version, just add them to the `SPEC_VERSIONS` variable.
+
+```ruby
+Stix2::SPEC_VERSIONS << '2.0'
+```
+
+# Custom Definitions
+
+The Stix2 standard includes several extensions to base objects. All extensions are widely described in the standard 
+itself, please refer to it. However two of them need more attention for how they are implemented in this gem.
+
+## Extension Definition
+
+This object allows the definition of new properties. One special property is `toplevel-property-extension` that allows
+the definition of properties on the top-level of an object. According to the standard thos properties should be
+defined solely on the object that is actually using the property. However due to the `hashie`-based implementation
+the gem declares the new properties on the class itself. This is a known limitation of the current implementation and
+it may be fixed in the future.
+
+## Custom Object
+
+A `CustomObject` can also be used within the Gem. The standard defines the rules that must be fulfilled for a custom
+object. Since those rules are several, the code stacks all the errors altogether and raises an exception when some
+errors happen. The exception is RuntimeError, that gives the user a string. It is suboptimal to have multiple errors
+in a string, and it may be fixed in the future.
+
+# Confidence
+
+A Stix2 object can have the property `confidence` set. This value can be expressed according to several conficence 
+scales. To make this conversion smooth, an object offers the method `confidence_scale` that is an instance of
+`Stix2::ConfidenceScale`. This class offers method for all the scales the standard includes.
+
+```ruby
+indicator = Stix2::DomainObject::Indicator.new(confidence: i)
+indicator.confidence # This is the raw integer
+indicator.confidence_scale.to_admiralty_credibility # this is a string in this scale
+indicator.confidence_scale.to_admiralty_credibility_strix # this is a string in stix mode
+```
+
 # Contribution
 
 You can contribute to this project in 2 ways:
@@ -114,3 +156,7 @@ You can contribute to this project in 2 ways:
 - with a PR: just follow the standard github workflow
 - by pointing out missing support: open an issue and please provide a json containing the missing support, to simplify
 the development
+
+# See also
+
+Ruby Stix2: https://github.com/crondaemon/ruby-taxii2

data/lib/stix2/base.rb

@@ -0,0 +1,7 @@
+module Stix2
+  class Base < Hashie::Dash
+    include Hashie::Extensions::Dash::PredefinedValues
+    include Hashie::Extensions::IndifferentAccess
+    include Hashie::Extensions::Dash::Coercion
+  end
+end

data/lib/stix2/common.rb

@@ -1,44 +1,55 @@
 module Stix2
-  class Common < Hashie::Dash
-    include Hashie::Extensions::Dash::PredefinedValues
-    include Hashie::Extensions::IndifferentAccess
-    include Hashie::Extensions::Dash::Coercion
+  SPEC_VERSIONS = ['2.1']
 
+  class Common < Stix2::Base
     property :type, required: true, coerce: String
-    property :spec_version, coerce: String, values: ['2.1']
+    property :spec_version, coerce: String, values: Stix2::SPEC_VERSIONS
     property :id, coerce: Identifier
     property :created_by_ref, coerce: Identifier
     property :created, coerce: Time
     property :modified, coerce: Time
-    property :revoked, coerce: Stix2::Boolean
+    property :revoked, coerce: ->(value){ Stix2.to_bool(value) }
     property :labels, coerce: Array[String]
-    property :confidence, coerce: Integer
+    property :confidence, coerce: ->(value){ int = Integer(value) ; [0..100].include?(int) ; int }
     property :lang, coerce: String
     property :external_references, coerce: Array[ExternalReference]
     property :object_marking_refs, coerce: Array[Stix2::MetaObject::DataMarking::ObjectMarking]
     property :granular_markings, coerce: Array[MetaObject::DataMarking::GranularMarking]
-    property :defanged, coerce: Stix2::Boolean
+    property :defanged, coerce: ->(value){ Stix2.to_bool(value) }
     property :extensions, coerce: Hash
 
     def initialize(options = {})
       Hashie.symbolize_keys!(options)
       type = to_dash(self.class.name.split('::').last)
       if options[:type]
-        raise("Property 'type' must be '#{type}'") if options[:type] != type
+        if !options[:type].start_with?('x-') && options[:type] != type
+          raise("Property 'type' must be '#{type}'")
+        end
       else
         options[:type] = type
       end
+      process_toplevel_property_extension(options[:extensions])
       super(options)
-      Stix2.storage_add(self)
+      process_extensions(options)
+      Stix2::Storage.add(self)
     end
 
     def method_missing(m, *args, &block)
-      super(m, args, block) if !m.to_s.end_with?('_instance')
+      if !m.to_s.end_with?('_instance')
+        # :nocov:
+        super(m, args, block)
+        return
+        # :nocov:
+      end
       # Retrieve the original method
       ref_method = m.to_s.gsub(/_instance$/, '')
       obj = send(ref_method)
       raise("Can't get a Stix2::Identifier from #{ref_method}") if !obj.is_a?(Stix2::Identifier)
-      Stix2.storage_find(obj)
+      Stix2::Storage.find(obj)
+    end
+
+    def confidence_scale
+      Stix2::ConfidenceScale.new(confidence)
     end
 
     private
@@ -48,15 +59,69 @@ module Stix2
     end
 
     def self.validate_array(list, valid_values)
-      excess = (Array(list) - valid_values)
+      excess = (Array(list).map(&:to_s) - valid_values.map(&:to_s))
       excess.empty? || raise("Invalid values: #{excess}")
       list
     end
 
     def self.hash_dict(hsh)
-      invalids = hsh.keys.map(&:to_s) - HASH_ALGORITHM_OV
-      invalids.empty? || raise("Invalid values: #{invalids}")
+      validate_array(hsh.keys, HASH_ALGORITHM_OV)
       hsh
     end
+
+    def process_toplevel_property_extension(extensions)
+      extension_definition = extensions&.find{ |key, val| key.to_s.start_with?('extension-definition') }
+      return if !extension_definition
+
+      id = extension_definition.first
+      type = extension_definition.last[:extension_type]
+      if type == 'toplevel-property-extension'
+        Stix2::Storage.active? || raise('Stix.storage must be active to use toplevel-property-extension')
+        ext = Stix2::Storage.find(id)
+        ext.extension_properties.each do |prop|
+          self.class.class_eval do
+            property prop
+          end
+        end
+      end
+    end
+
+    def process_extensions(options)
+      options[:extensions]&.each do |id, value|
+        case id.to_s
+        when /[A-Z]/
+          raise('Invalid extension name format.')
+        when 'archive-ext'
+          extensions[id] = Stix2::Extensions::ArchiveFile.new(value)
+        when /^extension-definition/
+          # Ignore it, already processes
+        when 'socket-ext'
+          extensions[id] = Stix2::Extensions::Socket.new(value)
+        when 'icmp-ext'
+          extensions[id] = Stix2::Extensions::Icmp.new(value)
+        when 'http-request-ext'
+          extensions[id] = Stix2::Extensions::HttpRequest.new(value)
+        when 'ntfs-ext'
+          extensions[id] = Stix2::Extensions::Ntfs.new(value)
+        when 'tcp-ext'
+          extensions[id] = Stix2::Extensions::Tcp.new(value)
+        when 'windows-process-ext'
+          extensions[id] = Stix2::Extensions::WindowsProcess.new(value)
+        when 'windows-service-ext'
+          extensions[id] = Stix2::Extensions::WindowsService.new(value)
+        when 'unix-account-ext'
+          extensions[id] = Stix2::Extensions::UnixAccount.new(value)
+        when 'pdf-ext'
+          extensions[id] = Stix2::Extensions::Pdf.new(value)
+        when 'raster-image-ext'
+          extensions[id] = Stix2::Extensions::RasterImage.new(value)
+        when 'windows-pebinary-ext'
+          extensions[id] = Stix2::Extensions::WindowsPebinary.new(value)
+        else
+          # Ensure we have a hash
+          value.is_a?(Hash) || raise("Custom extension must be Hash: #{value}")
+        end
+      end
+    end
   end
 end

data/lib/stix2/confidence_scale.rb

@@ -0,0 +1,106 @@
+module Stix2
+  class ConfidenceScale
+    SCALE_NONE_LOW_MED_HIGH = {
+      0..0 => { scale: 'None', stix: 0 },
+      1..29 => { scale: 'Low', stix: 15 },
+      30..69 => { scale: 'Med', stix: 50 },
+      70..100 => { scale: 'High', stix: 85 }
+    }.freeze
+
+    SCALE_0_10 = {
+      0..4 => { scale: 0, stix: 0 },
+      5..14 => { scale: 1, stix: 10 },
+      15..24 => { scale: 2, stix: 20 },
+      25..34 => { scale: 3, stix: 30 },
+      35..44 => { scale: 4, stix: 40 },
+      45..54 => { scale: 5, stix: 50 },
+      55..64 => { scale: 6, stix: 60 },
+      65..74 => { scale: 7, stix: 70 },
+      75..84 => { scale: 8, stix: 80 },
+      85..94 => { scale: 9, stix: 90 },
+      95..100 => { scale: 10, stix: 100 }
+    }.freeze
+
+    SCALE_ADMIRALTY_CREDIBILITY = {
+      0..19 => { scale: 5, stix: 10 },
+      20..39 => { scale: 4, stix: 30 },
+      40..59 => { scale: 3, stix: 50 },
+      60..79 => { scale: 2, stix: 70 },
+      80..100 => { scale: 1, stix: 90 }
+    }.freeze
+
+    SCALE_WEP = {
+      0..0 => { scale: 'Impossible', stix: 0 },
+      1..19 => { scale: 'Highly Unlikely/Almost Certainly Not', stix: 10 },
+      20..39 => { scale: 'Unlikely/Probably Not', stix: 30 },
+      40..59 => { scale: 'Even Chance', stix: 50 },
+      60..79 => { scale: 'Likely/Probable', stix: 70 },
+      80..99 => { scale: 'Highly likely/Almost Certain', stix: 90 },
+      100..100 => { scale: 'Certain', stix: 100 }
+    }.freeze
+
+    SCALE_DNI = {
+      0..9 => { scale: 'Almost No Chance / Remote' , stix: 5 },
+      10..19 => { scale: 'Very Unlikely / Highly Improbable', stix: 15 },
+      20..39 => { scale: 'Unlikely / Improbable', stix: 30 },
+      40..59 => { scale: 'Roughly Even Chance / Roughly Even Odds', stix: 50 },
+      60..79 => { scale: 'Likely / Probable', stix: 70 },
+      80..89 => { scale: 'Very Likely / Highly Probable', stix: 85 },
+      90..100 => { scale: 'Almost Certain / Nearly Certain', stix: 95 }
+    }.freeze
+
+    def initialize(value = nil)
+      @value = value
+    end
+
+    def to_none_low_med_high
+      !@value && 'Not Specified'
+      find_range(SCALE_NONE_LOW_MED_HIGH, :scale)
+    end
+
+    def to_none_low_med_high_stix
+      !@value && 'Not Specified'
+      find_range(SCALE_NONE_LOW_MED_HIGH, :stix)
+    end
+
+    def to_0_10
+      !@value && 6
+      find_range(SCALE_0_10, :scale)
+    end
+
+    def to_0_10_stix
+      find_range(SCALE_0_10, :stix)
+    end
+
+    def to_admiralty_credibility
+      find_range(SCALE_ADMIRALTY_CREDIBILITY, :scale)
+    end
+
+    def to_admiralty_credibility_stix
+      find_range(SCALE_ADMIRALTY_CREDIBILITY, :stix)
+    end
+
+    def to_wep
+      find_range(SCALE_WEP, :scale)
+    end
+
+    def to_wep_stix
+      find_range(SCALE_WEP, :stix)
+    end
+
+    def to_dni_scale
+      find_range(SCALE_DNI, :scale)
+    end
+
+    def to_dni_scale_stix
+      find_range(SCALE_DNI, :stix)
+    end
+
+    private
+
+    def find_range(constant, type)
+      !@value || 'Not Specified'
+      constant.find{ |k,v| k.cover?(@value) }.last[type]
+    end
+  end
+end

data/lib/stix2/custom_object.rb

@@ -0,0 +1,20 @@
+module Stix2
+  class CustomObject < Stix2::Common
+    include Hashie::Extensions::IgnoreUndeclared
+
+    property :id, coerce: Identifier
+
+    def initialize(options)
+      Hashie.symbolize_keys!(options)
+      raise('A CustomObject must have at least one property') if options[:type] && options.count == 1
+      errors = Hash.new{ |k, v| k[v] = [] }
+      options.each do |key, value|
+        errors['Too short'] << key if key != :id && key.size < 3
+        errors['Invalid name'] << key if !key.match?(/^[a-z0-9_]*$/)
+        errors['Too long'] << key if key.size > 250
+      end
+      raise("Error creating CustomObject: #{errors}") if !errors.empty?
+      super(options)
+    end
+  end
+end

data/lib/stix2/cyberobservable_objects/email_message.rb

@@ -1,7 +1,7 @@
 module Stix2
   module CyberobservableObject
     class EmailMessage < Base
-      property :is_multipart, required: true, coerce: Stix2::Boolean
+      property :is_multipart, required: true, coerce: ->(value){ Stix2.to_bool(value) }
       property :date, coerce: Time
       property :content_type, coerce: String
       property :from_ref, coerce: Identifier

data/lib/stix2/cyberobservable_objects/network_traffic.rb

@@ -3,7 +3,7 @@ module Stix2
     class NetworkTraffic < Base
       property :start, coerce: Time
       property :end, coerce: Time
-      property :is_active, coerce: ->(v){ boolean(v) }
+      property :is_active, coerce: ->(v){ Stix2.to_bool(v) }
       property :src_ref, coerce: Identifier
       property :dst_ref, coerce: Identifier
       property :src_port, coerce: Integer

data/lib/stix2/cyberobservable_objects/process.rb

@@ -0,0 +1,17 @@
+module Stix2
+  module CyberobservableObject
+    class Process < Base
+      property :is_hidden, coerce: ->(value){ Stix2.to_bool(value) }
+      property :pid, coerce: Integer
+      property :created_time, coerce: Time
+      property :cwd, coerce: String
+      property :command_line, coerce: String
+      property :environment_variables, coerce: Hash
+      property :opened_connection_refs, coerce: Array[Identifier]
+      property :creator_user_ref, coerce: Identifier
+      property :image_ref, coerce: Identifier
+      property :parent_ref, coerce: Identifier
+      property :child_refs, coerce: Array[Identifier]
+    end
+  end
+end

data/lib/stix2/cyberobservable_objects/user_account.rb

@@ -6,10 +6,10 @@ module Stix2
       property :account_login, coerce: String
       property :account_type, values: ACCOUNT_TYPE_OV
       property :display_name, coerce: String
-      property :is_service_account, coerce: Stix2::Boolean
-      property :is_privileged, coerce: Stix2::Boolean
-      property :can_escalate_privs, coerce: Stix2::Boolean
-      property :is_disabled, coerce: Stix2::Boolean
+      property :is_service_account, coerce: ->(value){ Stix2.to_bool(value) }
+      property :is_privileged, coerce: ->(value){ Stix2.to_bool(value) }
+      property :can_escalate_privs, coerce: ->(value){ Stix2.to_bool(value) }
+      property :is_disabled, coerce: ->(value){ Stix2.to_bool(value) }
       property :account_created, coerce: Time
       property :account_expires, coerce: Time
       property :credential_last_changed, coerce: Time

data/lib/stix2/cyberobservable_objects/x509_certificate.rb

@@ -1,7 +1,9 @@
+require 'stix2/cyberobservable_objects/x509_v3_extension_type'
+
 module Stix2
   module CyberobservableObject
     class X509Certificate < Base
-      property :is_self_signed, coerce: ->(v){ boolean(v) }
+      property :is_self_signed, coerce: ->(v){ Stix2.to_bool(v) }
       property :hashes, coerce: ->(hsh){ hash_dict(hsh) }
       property :version, coerce: String
       property :serial_number, coerce: String

data/lib/stix2/domain_objects/malware.rb

@@ -4,7 +4,7 @@ module Stix2
       property :name, coerce: String
       property :description, coerce: String
       property :malware_types, coerce: ->(v){ validate_array(v, Stix2::MALWARE_TYPE_OV) }
-      property :is_family, coerce: ->(v){ is_boolean?(v) }
+      property :is_family, coerce: ->(v){ Stix2.to_bool(v) }
       property :aliases, coerce: Array[String]
       property :kill_chain_phases, coerce: Array[KillChainPhase]
       property :first_seen, coerce: Time

data/lib/stix2/enum.rb

@@ -29,4 +29,63 @@ module Stix2
     'REG_QWORD',
     'REG_INVALID_TYPE'
   ].freeze
+
+  EXTENSION_TYPE_ENUM = [
+    'new-sdo',
+    'new-sco',
+    'new-sro',
+    'property-extension',
+    'toplevel-property-extension'
+  ].freeze
+
+  NETWORK_SOCKET_ADDRESS_FAMILY_ENUM = [
+    'AF_UNSPEC',
+    'AF_INET',
+    'AF_IPX',
+    'AF_APPLETALK',
+    'AF_NETBIOS',
+    'AF_INET6',
+    'AF_IRDA',
+    'AF_BTH'
+  ].freeze
+
+  NETWORK_SOCKET_TYPE_ENUM = [
+    'SOCK_STREAM',
+    'AF_ISOCK_DGRAMNET',
+    'SOCK_RAW',
+    'SOCK_RDM',
+    'SOCK_SEQPACKET'
+  ].freeze
+
+  WINDOWS_INTEGRITY_LEVEL_ENUM = [
+    'low',
+    'medium',
+    'high',
+    'system'
+  ].freeze
+
+  WINDOWS_SERVICE_START_TYPE_ENUM = [
+    'SERVICE_AUTO_START',
+    'SERVICE_BOOT_START',
+    'SERVICE_DEMAND_START',
+    'SERVICE_DISABLED',
+    'SERVICE_SYSTEM_ALERT'
+  ].freeze
+
+  WINDOWS_SERVICE_TYPE_ENUM = [
+    'SERVICE_KERNEL_DRIVER',
+    'SERVICE_FILE_SYSTEM_DRIVER',
+    'SERVICE_WIN32_OWN_PROCESS',
+    'SERVICE_WIN32_SHARE_PROCESS'
+  ].freeze
+
+  WINDOWS_SERVICE_STATUS_ENUM = [
+    'SERVICE_CONTINUE_PENDING',
+    'SERVICE_PAUSE_PENDING',
+    'SERVICE_PAUSED',
+    'SERVICE_RUNNING',
+    'SERVICE_START_PENDING',
+    'SERVICE_STOP_PENDING',
+    'SERVICE_STOPPED'
+  ].freeze
 end

data/lib/stix2/extension_definition.rb

@@ -0,0 +1,10 @@
+module Stix2
+  class ExtensionDefinition < Stix2::Common
+    property :name, required: true, coerce: String
+    property :description, coerce: String
+    property :schema, required: true, coerce: String
+    property :version, required: true, coerce: String
+    property :extension_types, required: true, coerce: ->(values){ validate_array(values, EXTENSION_TYPE_ENUM) }
+    property :extension_properties, coerce: Array[String]
+  end
+end

data/lib/stix2/extensions/alternate_data_stream_type.rb

@@ -0,0 +1,9 @@
+module Stix2
+  module Extensions
+    class AlternateDataStreamType < Stix2::Base
+      property :name, required: true, coerce: String
+      property :hashes, coerce: ->(hsh){ hash_dict(hsh) }
+      property :size, coerce: Integer
+    end
+  end
+end

data/lib/stix2/extensions/archive_file.rb

@@ -0,0 +1,8 @@
+module Stix2
+  module Extensions
+    class ArchiveFile < Stix2::Base
+      property :contains_refs, required: true, coerce: Array[Identifier]
+      property :comment, coerce: String
+    end
+  end
+end

data/lib/stix2/extensions/http_request.rb

@@ -0,0 +1,12 @@
+module Stix2
+  module Extensions
+    class HttpRequest < Stix2::Base
+      property :request_method, required: true, coerce: String
+      property :request_value, required: true, coerce: String
+      property :request_version, coerce: String
+      property :request_header, coerce: Hash
+      property :message_body_length, coerce: Integer
+      property :message_body_data_ref, coerce: Identifier
+    end
+  end
+end

data/lib/stix2/extensions/icmp.rb

@@ -0,0 +1,8 @@
+module Stix2
+  module Extensions
+    class Icmp < Stix2::Base
+      property :icmp_type_hex, required: true, coerce: ->(value){ Stix2.is_hex?(value) && value }
+      property :icmp_code_hex, required: true, coerce: ->(value){ Stix2.is_hex?(value) && value }
+    end
+  end
+end

data/lib/stix2/extensions/ntfs.rb

@@ -0,0 +1,10 @@
+require 'stix2/extensions/alternate_data_stream_type'
+
+module Stix2
+  module Extensions
+    class Ntfs < Stix2::Base
+      property :sid, coerce: String
+      property :alternate_data_streams, coerce: Array[AlternateDataStreamType]
+    end
+  end
+end

data/lib/stix2/extensions/pdf.rb

@@ -0,0 +1,11 @@
+module Stix2
+  module Extensions
+    class Pdf < Stix2::Base
+      property :version, coerce: String
+      property :is_optimized, coerce: ->(value){ Stix2.to_bool(value) }
+      property :document_info_dict, Hash[String => String]
+      property :pdfid0, coerce: String
+      property :pdfid1, coerce: String
+    end
+  end
+end

data/lib/stix2/extensions/raster_image.rb

@@ -0,0 +1,10 @@
+module Stix2
+  module Extensions
+    class RasterImage < Stix2::Base
+      property :image_height, coerce: Integer
+      property :image_width, coerce: Integer
+      property :bits_per_pixel, coerce: Integer
+      property :exif_tags, coerce: Hash
+    end
+  end
+end

data/lib/stix2/extensions/socket.rb

@@ -0,0 +1,13 @@
+module Stix2
+  module Extensions
+    class Socket < Stix2::Base
+      property :address_family, required: true, values: NETWORK_SOCKET_ADDRESS_FAMILY_ENUM
+      property :is_blocking, coerce: ->(value){ Stix2.to_bool(value) }
+      property :is_listening, coerce: ->(value){ Stix2.to_bool(value) }
+      property :options, coerce: ->(hsh){ hsh.keys.all?{ |k| k.is_a?(Integer) } && hsh }
+      property :socket_type, values: NETWORK_SOCKET_TYPE_ENUM
+      property :socket_descriptor, coerce: Integer
+      property :socket_handle, coerce: Integer
+    end
+  end
+end

data/lib/stix2/extensions/tcp.rb

@@ -0,0 +1,8 @@
+module Stix2
+  module Extensions
+    class Tcp < Stix2::Base
+      property :src_flags_hex, coerce: ->(value) { Stix2.is_hex?(value) && value }
+      property :dst_flags_hex, coerce: ->(value) { Stix2.is_hex?(value) && value }
+    end
+  end
+end