indicator

package

v0.6.1 Latest Latest Go to latest Published: Jan 15, 2020 License: Apache-2.0 Imports: 9 Imported by: 5

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/freetaxii/libstix2

Links

Open Source Insights

Documentation ¶

Overview ¶

Package indicator implements the STIX 2.1 Indicator object.

The following information comes directly from the STIX 2.1 specification.

Indicators contain a pattern that can be used to detect suspicious or malicious cyber activity. For example, an Indicator may be used to represent a set of malicious domains and use the STIX Patterning Language (see section 9) to specify these domains.

The Indicator SDO contains a simple textual description, the Kill Chain Phases that it detects behavior in, a time window for when the Indicator is valid or useful, and a required pattern property to capture a structured detection pattern. Conforming STIX implementations MUST support the STIX Patterning Language as defined in section 9.

Relationships from the Indicator can describe the malicious or suspicious behavior that it directly detects (Malware, Tool, and Attack Pattern). In addition, it may also imply the presence of a Campaigns, Intrusion Sets, and Threat Actors, etc.

Index ¶

func Compare(obj1, obj2 *Indicator) (bool, int, []string)
type Indicator
- func Decode(data []byte) (*Indicator, error)
- func New() *Indicator

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func Compare ¶

func Compare(obj1, obj2 *Indicator) (bool, int, []string)

Compare - This function will compare two objects to make sure they are the

same and will return a boolean, an integer that tracks the number of problems found, and a slice of strings that contain the detailed results, whether good or bad.

Types ¶

type Indicator ¶

type Indicator struct {
	objects.CommonObjectProperties
	properties.NameProperty
	properties.DescriptionProperty
	IndicatorTypes []string `json:"indicator_types,omitempty"`
	Pattern        string   `json:"pattern,omitempty"`
	PatternType    string   `json:"pattern_type,omitempty"`
	PatternVersion string   `json:"pattern_version,omitempty"`
	ValidFrom      string   `json:"valid_from,omitempty"`
	ValidUntil     string   `json:"valid_until,omitempty"`
	properties.KillChainPhasesProperty
}

Indicator - This type implements the STIX 2 Indicator SDO and defines all of

the properties and methods needed to create and work with this object. All of the methods not defined local to this type are inherited from the individual properties.

func Decode ¶

func Decode(data []byte) (*Indicator, error)

Decode - This function is a simple wrapper for decoding JSON data. It will

decode a slice of bytes into an actual struct and return a pointer to that object along with any errors.

func New ¶

func New() *Indicator

New - This function will create a new STIX Indicator object and return it as

a pointer. It will also initialize the object by setting all of the basic properties.

func (*Indicator) AddTypes ¶ added in v0.6.1

func (o *Indicator) AddTypes(values interface{}) error

AddTypes - This method takes in a string value, a comma separated list of

string values, or a slice of string values that represents an indicator type and adds it to the indicator types property. The values SHOULD come from the indicator-type-ov open vocabulary.

func (*Indicator) Compare ¶

func (o *Indicator) Compare(obj2 *Indicator) (bool, int, []string)

Compare - This method will compare two objects to make sure they are the

same. The receiver is object 1 and the object passed in is object 2. This method will return a boolean, an integer that tracks the number of problems found, and a slice of strings that contain the detailed results, whether good or bad.

func (*Indicator) Encode ¶

func (o *Indicator) Encode() ([]byte, error)

Encode - This method is a simple wrapper for encoding an object into JSON

func (*Indicator) EncodeToString ¶

func (o *Indicator) EncodeToString() (string, error)

EncodeToString - This method is a simple wrapper for encoding an object into

JSON

func (*Indicator) GetPropertyList ¶ added in v0.6.1

func (o *Indicator) GetPropertyList() []string

GetProperties - This method will return a list of all of the properties that

are unique to this object. This is used by the custom UnmarshalJSON for this object. It is defined here in this file to make it easy to keep in sync.

func (*Indicator) SetPattern ¶

func (o *Indicator) SetPattern(s string) error

SetPattern - This method takes in a string value representing a complete and

valid STIX pattern and will set the pattern property to that value.

func (*Indicator) SetPatternType ¶ added in v0.6.1

func (o *Indicator) SetPatternType(s string) error

SetPatternType - This method takes in a string representing the type of

pattern used in this indicator and will set the pattern_type property to that value. The value should be one of "stix", "snort", or "yara".

func (*Indicator) SetPatternVersion ¶ added in v0.6.1

func (o *Indicator) SetPatternVersion(s string) error

SetPatternVersion - This method takes in a string representing the version of

the pattern used in this indicator and will set the pattern_version property to that value.

For patterns that do not have a formal specification, the build or code version that the pattern is known to work with SHOULD be used.

func (*Indicator) SetValidFrom ¶

func (o *Indicator) SetValidFrom(t interface{}) error

SetValidFrom - This method will take in a timestamp in either time.Time or

string format and will set the valid_from property to that value.

func (*Indicator) SetValidFromToCurrentTime ¶

func (o *Indicator) SetValidFromToCurrentTime() error

SetValidFromToCurrentTime - This method will set the valid_from timestamp to

the current time.

func (*Indicator) SetValidUntil ¶

func (o *Indicator) SetValidUntil(t interface{}) error

SetValidUntil - This method will take in a timestamp in either time.Time or

string format and will set the valid_until property to that value.

func (*Indicator) SetValidUntilToCurrentTime ¶

func (o *Indicator) SetValidUntilToCurrentTime() error

SetValidUntilToCurrentTime - This method will set the valid_until time to the

current time.

func (*Indicator) UnmarshalJSON ¶ added in v0.6.1

func (o *Indicator) UnmarshalJSON(b []byte) error

UnmarshalJSON - This method will over write the default UnmarshalJSON method

to enable custom properties that this library does not know about. It will store them as map where the value of each key is a byte arrays. This way a tool that does know how to deal with them can then further process them after this is done. This will also allow the storage of the raw JSON data.

func (*Indicator) Valid ¶ added in v0.6.1

func (o *Indicator) Valid() (bool, int, []string)

Valid - This method will verify and test all of the properties on an object

to make sure they are valid per the specification. It will return a boolean, an integer that tracks the number of problems found, and a slice of strings that contain the detailed results, whether good or bad.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL