Skip to content
/ crystal-stix2 Public

crystal-stix2 is a STIX 2.1 implementation using Crystal language.

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

synsec/crystal-stix2

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
.github/workflows
.github/workflows
 
 
docs
docs
 
 
spec
spec
 
 
src
src
 
 
.editorconfig
.editorconfig
 
 
.gitignore
.gitignore
 
 
.travis.yml
.travis.yml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
shard.yml
shard.yml
 
 

Repository files navigation

crystal-stix2

crystal-stix2 is a STIX 2.1 implementation using Crystal language. This is a work in progress and API is likely to change.

Read crystal-stix2 docs

Structured Threat Information Expression (STIX) is a language for expressing cyber threat and observable information. This document defines concepts that apply across all of STIX and defines the overall structure of the STIX language.

STIX 2.1 documentation is available at http://docs.oasis-open.org/cti/stix/v2.1/stix-v2.1.html

Installation

  1. Add the dependency to your shard.yml:

    dependencies:
  crystal-stix2:
    github: synsec/crystal-stix2.git

  2. Run shards install

Usage

require "crystal-stix2"

bundle = STIX2::Bundle.new

indicator = STIX2::Indicator.new({
      indicator_types: [
        "compromised",
        "malicious-activity"
      ],
      pattern:         "[ ipv4-addr:value = '192.0.2.0' ]",
      pattern_type:    "stix",
      valid_from:      "2019-11-26T04:34:56.715000000Z",
    })
    
indicator.name = "SSH attacker"
indicator.labels = ["malicious-activity"]
indicator.labels << ["ip-watchlist"]

malware = STIX2::Malware.new({
      malware_types: ["ransomware"],
      is_family:     false,
    })

relationship = STIX2::Relationship.new({
      relationship_type: "indicates",
      source_ref:        indicator.id.to_s,
      target_ref:        malware.id.to_s,
    })

bundle.objects << [malware, indicator]
bundle.objects << relationship

Features

Below is a list of features which have been implemented:

STIX Domain Objects

  • Attack Pattern
  • Campaign
  • Course of Action
  • Grouping
  • Identity
  • Indicator
  • Infrastructure
  • Intrusion Set
  • Location
  • Malware
  • Malware Analysis
  • Note
  • Observed Data
  • Opinion
  • Report
  • Threat Actor
  • Tool
  • Vulnerability

STIX Relationship Objects

  • Relationship
  • Sighting

STIX Cyber-observable Objects

  • Artifact Object
  • AS Object
  • Directory Object
  • Domain Name Object
  • ​Email Address Object
  • ​Email Message Object
  • ​File Object
  • ​IPv4 Address Object
  • ​IPv6 Address Object
  • ​MAC Address Object
  • ​Mutex Object
  • ​Network Traffic Object
  • ​Process Object
  • ​Software Object
  • ​URL Object
  • ​User Account Object
  • ​Windows Registry Key Object
  • ​X.509 Certificate Object

Other STIX Objects

  • Bundle
  • Language Content
  • Marking Definition

Development

TODO: Write development instructions here

Contributing

  1. Fork it (https://github.com/synsec/crystal-stix2/fork)
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Add some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create a new Pull Request

Contributors

About

crystal-stix2 is a STIX 2.1 implementation using Crystal language.

Topics

crystal stix cyber-security crystal-language crystal-lang stix2

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

No packages published

Languages