https://github.com/panther-labs/stix2
Pure go implementation of stix2
https://github.com/panther-labs/stix2
golang security
Last synced: 11 months ago
JSON representation
Pure go implementation of stix2
- Host: GitHub
- URL: https://github.com/panther-labs/stix2
- Owner: panther-labs
- License: bsd-2-clause
- Created: 2022-05-12T19:49:37.000Z (about 4 years ago)
- Default Branch: main
- Last Pushed: 2023-06-16T21:08:13.000Z (about 3 years ago)
- Last Synced: 2024-06-20T12:42:36.921Z (about 2 years ago)
- Topics: golang, security
- Language: Go
- Homepage: https://panther.com/
- Size: 545 KB
- Stars: 5
- Watchers: 23
- Forks: 2
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Codeowners: .github/CODEOWNERS
Awesome Lists containing this project
README
# stix2
A pure Go library for working with Structured Threat Information Expression
(STIX™) version 2.x data.
**Note:**
This pkg was ported over from https://github.com/TcM1911/stix2 with some modifications
## Parsing STIX JSON data
The library provides a helper function to parse STIX JSON. It can handle
both the bundle object and JSON objects as a JSON array. The function returns
a `Collection` object that holds all the extracted STIX objects.
```go
collection, err := stix2.FromJSON(jsonData)
```
```go
collection, err := stix2.FromReader(yourReader)
```
## Creating a STIX Bundle
Creating a STIX Bundle, is as easy as creating a set of STIX objects and add
them to the Collection. The Bundle can be created by calling the `ToBundle`
method on the Collection object. The Bundle can be serialized to `JSON`
using the `JSON` encoder in the standard library.
```go
c := stix2.New()
ip, err := stix2.NewIPv4Address("10.0.0.1")
c.Add(ip)
ip, err = stix2.NewIPv4Address("10.0.0.2")
c.Add(ip)
b, err := c.ToBundle()
data, err := json.Marshal(b)
```
## Example of a malware using an infrastructure
Taken from: https://docs.oasis-open.org/cti/stix/v2.1/csprd02/stix-v2.1-csprd02.html#_Toc26789941
```go
collection := stix2.New()
domain, err := stix2.NewDomainName("example.com")
collection.Add(domain)
mal, err := stix2.NewMalware(
false,
stix2.OptionName("IMDDOS"),
stix2.OptionTypes([]string{stix2.MalwareTypeBot}),
)
collection.Add(mal)
infra, err := stix2.NewInfrastructure(
"Example Target List Host",
[]string{stix2.InfrastructureTypeHostingTargetLists},
)
collection.Add(infra)
ref, err := mal.AddUses(infra.ID)
collection.Add(ref)
ref, err = infra.AddConsistsOf(domain.ID)
collection.Add(ref)
b, err := collection.ToBundle()
data, err := json.MarshalIndent(b, "", "\t")
```
## Extensions and Customization
With the release of version 2.1 of the specification custom properties
has been deprecated. Instead, `property-extension` functionality should
be used. This library supports parsing objects with old custom properties
for backwards compatibility. The fields can be accessed via the
`GetExtendedTopLevelProperties` method.
See the examples in the documentation on how to work with extensions.