Description
crystal-stix2 is a STIX 2.1 implementation using Crystal language. This is a work in progress and API is likely to change.
Structured Threat Information Expression (STIX) is a language for expressing cyber threat and observable information. This document defines concepts that apply across all of STIX and defines the overall structure of the STIX language.
STIX 2.1 documentation is available at http://docs.oasis-open.org/cti/stix/v2.1/stix-v2.1.html
README
crystal-stix2
crystal-stix2 is a STIX 2.1 implementation using Crystal language. This is a work in progress and API is likely to change.
Structured Threat Information Expression (STIX) is a language for expressing cyber threat and observable information. This document defines concepts that apply across all of STIX and defines the overall structure of the STIX language.
STIX 2.1 documentation is available at http://docs.oasis-open.org/cti/stix/v2.1/stix-v2.1.html
Installation
- Add the dependency to your
shard.yml
:
dependencies:
crystal-stix2:
github: synsec/crystal-stix2.git
- Run
shards install
Usage
require "crystal-stix2"
bundle = STIX2::Bundle.new
indicator = STIX2::Indicator.new({
indicator_types: [
"compromised",
"malicious-activity"
],
pattern: "[ ipv4-addr:value = '192.0.2.0' ]",
pattern_type: "stix",
valid_from: "2019-11-26T04:34:56.715000000Z",
})
indicator.name = "SSH attacker"
indicator.labels = ["malicious-activity"]
indicator.labels << ["ip-watchlist"]
malware = STIX2::Malware.new({
malware_types: ["ransomware"],
is_family: false,
})
relationship = STIX2::Relationship.new({
relationship_type: "indicates",
source_ref: indicator.id.to_s,
target_ref: malware.id.to_s,
})
bundle.objects << [malware, indicator]
bundle.objects << relationship
Features
Below is a list of features which have been implemented:
STIX Domain Objects
- [x] Attack Pattern
- [ ] Campaign
- [ ] Course of Action
- [ ] Grouping
- [x] Identity
- [x] Indicator
- [x] Infrastructure
- [ ] Intrusion Set
- [ ] Location
- [x] Malware
- [ ] Malware Analysis
- [ ] Note
- [ ] Observed Data
- [ ] Opinion
- [ ] Report
- [ ] Threat Actor
- [ ] Tool
- [ ] Vulnerability
STIX Relationship Objects
- [x] Relationship
- [ ] Sighting
STIX Cyber-observable Objects
- [ ] Artifact Object
- [ ] AS Object
- [ ] Directory Object
- [x] Domain Name Object
- [ ] Email Address Object
- [ ] Email Message Object
- [ ] File Object
- [x] IPv4 Address Object
- [ ] IPv6 Address Object
- [ ] MAC Address Object
- [ ] Mutex Object
- [ ] Network Traffic Object
- [ ] Process Object
- [ ] Software Object
- [x] URL Object
- [ ] User Account Object
- [ ] Windows Registry Key Object
- [ ] X.509 Certificate Object
Other STIX Objects
- [x] Bundle
- [ ] Language Content
- [ ] Marking Definition
Development
TODO: Write development instructions here
Contributing
- Fork it (https://github.com/synsec/crystal-stix2/fork)
- Create your feature branch (
git checkout -b my-new-feature
) - Commit your changes (
git commit -am 'Add some feature'
) - Push to the branch (
git push origin my-new-feature
) - Create a new Pull Request
Contributors
- Oleksii Morozov - creator and maintainer