https://github.com/synsec/crystal-stix2
crystal-stix2 is a STIX 2.1 implementation using Crystal language.
https://github.com/synsec/crystal-stix2
crystal crystal-lang crystal-language cyber-security stix stix2
Last synced: 12 months ago
JSON representation
crystal-stix2 is a STIX 2.1 implementation using Crystal language.
- Host: GitHub
- URL: https://github.com/synsec/crystal-stix2
- Owner: synsec
- License: mit
- Created: 2019-12-17T16:51:02.000Z (over 6 years ago)
- Default Branch: master
- Last Pushed: 2019-12-24T13:24:00.000Z (over 6 years ago)
- Last Synced: 2025-02-05T21:27:46.635Z (about 1 year ago)
- Topics: crystal, crystal-lang, crystal-language, cyber-security, stix, stix2
- Language: Crystal
- Homepage:
- Size: 110 KB
- Stars: 0
- Watchers: 3
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# crystal-stix2
[](https://synsec.github.io/crystal-stix2/)
crystal-stix2 is a STIX 2.1 implementation using Crystal language. This is a work in progress and API is likely to change.
[Read crystal-stix2 docs](https://synsec.github.io/crystal-stix2/)
Structured Threat Information Expression (STIX) is a language for expressing cyber threat and observable information. This document defines concepts that apply across all of STIX and defines the overall structure of the STIX language.
STIX 2.1 documentation is available at [http://docs.oasis-open.org/cti/stix/v2.1/stix-v2.1.html](http://docs.oasis-open.org/cti/stix/v2.1/stix-v2.1.html)
## Installation
1. Add the dependency to your `shard.yml`:
```yaml
dependencies:
crystal-stix2:
github: synsec/crystal-stix2.git
```
2. Run `shards install`
## Usage
```crystal
require "crystal-stix2"
bundle = STIX2::Bundle.new
indicator = STIX2::Indicator.new({
indicator_types: [
"compromised",
"malicious-activity"
],
pattern: "[ ipv4-addr:value = '192.0.2.0' ]",
pattern_type: "stix",
valid_from: "2019-11-26T04:34:56.715000000Z",
})
indicator.name = "SSH attacker"
indicator.labels = ["malicious-activity"]
indicator.labels << ["ip-watchlist"]
malware = STIX2::Malware.new({
malware_types: ["ransomware"],
is_family: false,
})
relationship = STIX2::Relationship.new({
relationship_type: "indicates",
source_ref: indicator.id.to_s,
target_ref: malware.id.to_s,
})
bundle.objects << [malware, indicator]
bundle.objects << relationship
```
## Features
Below is a list of features which have been implemented:
STIX Domain Objects
- [x] Attack Pattern
- [ ] Campaign
- [ ] Course of Action
- [ ] Grouping
- [x] Identity
- [x] Indicator
- [x] Infrastructure
- [ ] Intrusion Set
- [ ] Location
- [x] Malware
- [ ] Malware Analysis
- [ ] Note
- [ ] Observed Data
- [ ] Opinion
- [ ] Report
- [ ] Threat Actor
- [ ] Tool
- [ ] Vulnerability
STIX Relationship Objects
- [x] Relationship
- [ ] Sighting
STIX Cyber-observable Objects
- [ ] Artifact Object
- [ ] AS Object
- [ ] Directory Object
- [x] Domain Name Object
- [ ] Email Address Object
- [ ] Email Message Object
- [ ] File Object
- [x] IPv4 Address Object
- [ ] IPv6 Address Object
- [ ] MAC Address Object
- [ ] Mutex Object
- [ ] Network Traffic Object
- [ ] Process Object
- [ ] Software Object
- [x] URL Object
- [ ] User Account Object
- [ ] Windows Registry Key Object
- [ ] X.509 Certificate Object
Other STIX Objects
- [x] Bundle
- [ ] Language Content
- [ ] Marking Definition
## Development
TODO: Write development instructions here
## Contributing
1. Fork it ()
2. Create your feature branch (`git checkout -b my-new-feature`)
3. Commit your changes (`git commit -am 'Add some feature'`)
4. Push to the branch (`git push origin my-new-feature`)
5. Create a new Pull Request
## Contributors
- [Oleksii Morozov](https://github.com/jaysneg) - creator and maintainer