Module: Stix2

Defined in:

lib/stix2.rb,
lib/stix2/ov.rb,
lib/stix2/enum.rb,
lib/stix2/bundle.rb,
lib/stix2/common.rb,
lib/stix2/boolean.rb,
lib/stix2/storage.rb,
lib/stix2/version.rb,
lib/stix2/identifier.rb,
lib/stix2/kill_chain_phase.rb,
lib/stix2/meta_objects/base.rb,
lib/stix2/external_reference.rb,
lib/stix2/domain_objects/base.rb,
lib/stix2/domain_objects/note.rb,
lib/stix2/domain_objects/tool.rb,
lib/stix2/domain_objects/report.rb,
lib/stix2/domain_objects/malware.rb,
lib/stix2/domain_objects/opinion.rb,
lib/stix2/domain_objects/campaign.rb,
lib/stix2/domain_objects/grouping.rb,
lib/stix2/domain_objects/identity.rb,
lib/stix2/domain_objects/location.rb,
lib/stix2/domain_objects/indicator.rb,
lib/stix2/relationship_objects/base.rb,
lib/stix2/cyberobservable_objects/url.rb,
lib/stix2/domain_objects/threat_actor.rb,
lib/stix2/cyberobservable_objects/base.rb,
lib/stix2/cyberobservable_objects/file.rb,
lib/stix2/domain_objects/intrusion-set.rb,
lib/stix2/domain_objects/observed_data.rb,
lib/stix2/domain_objects/vulnerability.rb,
lib/stix2/cyberobservable_objects/mutex.rb,
lib/stix2/domain_objects/attack_pattern.rb,
lib/stix2/domain_objects/infrastructure.rb,
lib/stix2/meta_objects/language_content.rb,
lib/stix2/relationship_objects/sighting.rb,
lib/stix2/domain_objects/course_of_action.rb,
lib/stix2/domain_objects/malware_analysis.rb,
lib/stix2/meta_objects/data_markings/base.rb,
lib/stix2/cyberobservable_objects/artifact.rb,
lib/stix2/cyberobservable_objects/mac_addr.rb,
lib/stix2/cyberobservable_objects/software.rb,
lib/stix2/cyberobservable_objects/directory.rb,
lib/stix2/cyberobservable_objects/ipv4_addr.rb,
lib/stix2/cyberobservable_objects/ipv6_addr.rb,
lib/stix2/relationship_objects/relationship.rb,
lib/stix2/cyberobservable_objects/email_addr.rb,
lib/stix2/cyberobservable_objects/domain_name.rb,
lib/stix2/cyberobservable_objects/user_account.rb,
lib/stix2/cyberobservable_objects/email_message.rb,
lib/stix2/cyberobservable_objects/network_traffic.rb,
lib/stix2/cyberobservable_objects/x509_certificate.rb,
lib/stix2/cyberobservable_objects/autonomous_system.rb,
lib/stix2/meta_objects/data_markings/object_marking.rb,
lib/stix2/meta_objects/data_markings/granular_marking.rb,
lib/stix2/cyberobservable_objects/email_mime_part_type.rb,
lib/stix2/cyberobservable_objects/windows_registry_key.rb,
lib/stix2/meta_objects/data_markings/marking_definition.rb,
lib/stix2/cyberobservable_objects/windows_registry_value.rb,
lib/stix2/cyberobservable_objects/x509_v3_extension_type.rb

Defined Under Namespace

Modules: CyberobservableObject, DomainObject, MetaObject, RelationshipObject Classes: Boolean, Bundle, Common, ExternalReference, Identifier, KillChainPhase

Constant Summary

INDICATOR_TYPE_OV =

[
  'anomalous-activity',
  'anonymization',
  'benign',
  'compromised',
  'malicious-activity',
  'attribution',
  'unknown'
].freeze

PATTERN_TYPE_OV =

[
  'stix',
  'pcre',
  'sigma',
  'snort',
  'suricata',
  'yara'
].freeze

GROUPING_CONTEXT_OV =

[
  'suspicious-activity',
  'malware-analysis',
  'unspecified'
].freeze

IDENTITY_CLASS_OV =

[
  'individual',
  'group',
  'system',
  'organization',
  'class',
  'unspecified'
].freeze

INDUSTRY_SECTOR_OV =

[
  'agriculture',
  'aerospace',
  'automotive',
  'chemical',
  'commercial',
  'communications',
  'construction',
  'defense',
  'education',
  'energy',
  'entertainment',
  'financial-services',
  'government (emergency-services, government-local, government-national, government-public-services, government-regional)',
  'healthcare',
  'hospitality-leisure',
  'infrastructure (dams, nuclear, water)',
  'insurance',
  'manufacturing',
  'mining',
  'non-profit',
  'pharmaceuticals',
  'retail',
  'technology',
  'telecommunications',
  'transportation',
  'utilities'
].freeze

MALWARE_TYPE_OV =

[
  'adware',
  'backdoor',
  'bot',
  'bootkit',
  'ddos',
  'downloader',
  'dropper',
  'exploit-kit',
  'keylogger',
  'ransomware',
  'remote-access-trojan',
  'resource-exploitation',
  'rogue-security-software',
  'rootkit',
  'screen-capture',
  'spyware',
  'trojan',
  'unknown',
  'virus',
  'webshell',
  'wiper',
  'worm'
].freeze

PROCESSOR_ARCHITECTURE_OV =

[
  'alpha',
  'arm',
  'ia-64',
  'mips',
  'powerpc',
  'sparc',
  'x86',
  'x86-64'
].freeze

IMPLEMENTATION_LANGUAGE_OV =

[
  'applescript',
  'bash',
  'c',
  'c++',
  'c#',
  'go',
  'java',
  'javascript',
  'lua',
  'objective-c',
  'perl',
  'php',
  'powershell',
  'python',
  'ruby',
  'scala',
  'swift',
  'typescript',
  'visual-basic',
  'x86-32',
  'x86-64'
].freeze

IMPLEMENTATION_CAPABILITIES_OV =

[
  'accesses-remote-machines',
  'anti-debugging',
  'anti-disassembly',
  'anti-emulation',
  'anti-memory-forensics',
  'anti-sandbox',
  'anti-vm',
  'captures-input-peripherals',
  'captures-output-peripherals',
  'captures-system-state-data',
  'cleans-traces-of-infection',
  'commits-fraud',
  'communicates-with-c2',
  'compromises-data-availability',
  'compromises-data-integrity',
  'compromises-system-availability',
  'controls-local-machine',
  'degrades-security-software',
  'degrades-system-updates',
  'determines-c2-server',
  'emails-spam',
  'escalates-privileges',
  'evades-av',
  'exfiltrates-data',
  'fingerprints-host',
  'hides-artifacts',
  'hides-executing-code',
  'infects-files',
  'infects-remote-machines',
  'installs-other-components',
  'persists-after-system-reboot',
  'prevents-artifact-access',
  'prevents-artifact-deletion',
  'probes-network-environment',
  'self-modifies',
  'steals-authentication-credentials',
  'violates-system-operational-integrity'
].freeze

INFRASTRUCTURE_TYPE_OV =

[
  'amplification',
  'anonymization',
  'botnet',
  'command-and-control',
  'exfiltration',
  'hosting-malware',
  'hosting-target-lists',
  'phishing',
  'reconnaissance',
  'staging',
  'undefined'
].freeze

ATTACK_RESOURCE_LEVEL_OV =

[
  'individual',
  'club',
  'contest',
  'team',
  'organization',
  'government'
].freeze

ATTACK_MOTIVATION_OV =

[
  'accidental',
  'coercion',
  'dominance',
  'ideology',
  'notoriety',
  'organizational-gain',
  'personal-gain',
  'personal-satisfaction',
  'revenge',
  'unpredictable'
].freeze

REGION_OV =

[
  'eastern-africa',
  'middle-africa',
  'northern-africa',
  'southern-africa',
  'western-africa',
  'caribbean',
  'central-america',
  'latin-america-caribbean',
  'northern-america',
  'south-america',
  'central-asia',
  'eastern-asia',
  'southern-asia',
  'south-eastern-asia',
  'western-asia',
  'eastern-europe',
  'northern-europe',
  'southern-europe',
  'western-europe',
  'antarctica',
  'australia-new-zealand',
  'melanesia',
  'micronesia',
  'polynesia'
].freeze

MALWARE_RESULT_OV =

[
  'malicious',
  'suspicious',
  'benign',
  'unknown'
].freeze

REPORT_TYPE_OV =

[
  'attack-pattern',
  'campaign',
  'identity',
  'indicator',
  'intrusion-set',
  'malware',
  'observed-data',
  'threat-actor',
  'threat-report',
  'tool',
  'vulnerability'
].freeze

THREAT_ACTOR_TYPE_OV =

[
  'activist',
  'competitor',
  'crime-syndicate',
  'criminal',
  'hacker',
  'insider-accidental',
  'insider-disgruntled',
  'nation-state',
  'sensationalist',
  'spy',
  'terrorist',
  'unknown'
].freeze

THREAT_ACTOR_ROLE_OV =

[
  'agent',
  'director',
  'independent',
  'infrastructure-architect',
  'infrastructure-operator',
  'malware-author',
  'sponsor'
].freeze

THREAT_ACTOR_SOPHISTICATION_OV =

[
  'none',
  'minimal',
  'intermediate',
  'advanced',
  'expert',
  'innovator',
  'strategic'
].freeze

TOOL_TYPES_OV =

[
  'denial-of-service',
  'exploitation',
  'information-gathering',
  'network-capture',
  'credential-exploitation',
  'remote-access',
  'vulnerability-scanning',
  'unknown'
].freeze

HASH_ALGORITHM_OV =

[
  'MD5',
  'SHA-1',
  'SHA-256',
  'SHA-512',
  'SHA3-256',
  'SHA3-512',
  'SSDEEP',
  'TLSH'
].freeze

ACCOUNT_TYPE_OV =

[
  'facebook',
  'ldap',
  'nis',
  'openid',
  'radius',
  'skype',
  'tacacs',
  'twitter',
  'unix',
  'windows-local',
  'windows-domain'
].freeze

OPINION_ENUM =

[
  'strongly-disagree',
  'disagree',
  'neutral',
  'agree',
  'strongly-agree'
].freeze

ENCRYPTION_ALGORITHM_ENUM =

[
  'AES-256-GCM',
  'ChaCha20-Poly1305',
  'mime-type-indicated'
].freeze

WINDOWS_REGISTRY_DATATYPE_ENUM =

[
  'REG_NONE',
  'REG_SZ',
  'REG_EXPAND_SZ',
  'REG_BINARY',
  'REG_DWORD',
  'REG_DWORD_BIG_ENDIAN',
  'REG_DWORD_LITTLE_ENDIAN',
  'REG_LINK',
  'REG_MULTI_SZ',
  'REG_RESOURCE_LIST',
  'REG_FULL_RESOURCE_DESCRIPTION',
  'REG_RESOURCE_REQUIREMENTS_LIST',
  'REG_QWORD',
  'REG_INVALID_TYPE'
].freeze

VERSION =

'0.1.0'

@@storage =

nil

Class Method Summary

• .parse(options) ⇒ Object
• .storage ⇒ Object
• .storage_activate ⇒ Object
• .storage_add(obj) ⇒ Object
• .storage_deactivate ⇒ Object
• .storage_find(id) ⇒ Object

Class Method Details

.parse(options) ⇒ Object

# File 'lib/stix2.rb', line 80

def self.parse(options)
  case options
  when String
    options_ = JSON.parse(options)
  when Hash
    options_ = options.clone
  else
    options_ = JSON.parse(options.to_s)
  end
  Hashie.symbolize_keys!(options_)
  type = options_[:type]
  raise("Property 'type' is missing") if !type
  # Let's try to guess the domain of the object, among the known ones
  ['DomainObject', 'RelationshipObject', 'CyberobservableObject', 'MetaObject', 
    'MetaObject::DataMarking'].each do |family|
    class_name = "Stix2::#{family}::#{type.split('-').map(&:capitalize).join}"
    return Module.const_get(class_name).new(options_) if Module.const_defined?(class_name)
  end
  raise("Message unsupported: #{type}")
end

.storage ⇒ Object

# File 'lib/stix2/storage.rb', line 20

def self.storage
  @@storage
end

.storage_activate ⇒ Object

# File 'lib/stix2/storage.rb', line 8

def self.storage_activate
  @@storage = {}
end

.storage_add(obj) ⇒ Object

# File 'lib/stix2/storage.rb', line 4

def self.storage_add(obj)
  @@storage && @@storage[obj.id.to_s] = obj
end

.storage_deactivate ⇒ Object

# File 'lib/stix2/storage.rb', line 12

def self.storage_deactivate
  @storage = nil
end

.storage_find(id) ⇒ Object

# File 'lib/stix2/storage.rb', line 16

def self.storage_find(id)
  @@storage[id.to_s]
end