Documentation ¶
Overview ¶
Package indicator implements the STIX 2.1 Indicator object.
The following information comes directly from the STIX 2.1 specification.
Indicators contain a pattern that can be used to detect suspicious or malicious cyber activity. For example, an Indicator may be used to represent a set of malicious domains and use the STIX Patterning Language (see section 9) to specify these domains.
The Indicator SDO contains a simple textual description, the Kill Chain Phases that it detects behavior in, a time window for when the Indicator is valid or useful, and a required pattern property to capture a structured detection pattern. Conforming STIX implementations MUST support the STIX Patterning Language as defined in section 9.
Relationships from the Indicator can describe the malicious or suspicious behavior that it directly detects (Malware, Tool, and Attack Pattern). In addition, it may also imply the presence of a Campaigns, Intrusion Sets, and Threat Actors, etc.
Index ¶
- func Compare(obj1, obj2 *Indicator) (bool, int, []string)
- type Indicator
- func (o *Indicator) AddTypes(values interface{}) error
- func (o *Indicator) Compare(obj2 *Indicator) (bool, int, []string)
- func (o *Indicator) Encode() ([]byte, error)
- func (o *Indicator) EncodeToString() (string, error)
- func (o *Indicator) GetPropertyList() []string
- func (o *Indicator) SetPattern(s string) error
- func (o *Indicator) SetPatternType(s string) error
- func (o *Indicator) SetPatternVersion(s string) error
- func (o *Indicator) SetValidFrom(t interface{}) error
- func (o *Indicator) SetValidFromToCurrentTime() error
- func (o *Indicator) SetValidUntil(t interface{}) error
- func (o *Indicator) SetValidUntilToCurrentTime() error
- func (o *Indicator) UnmarshalJSON(b []byte) error
- func (o *Indicator) Valid() (bool, int, []string)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Indicator ¶
type Indicator struct { objects.CommonObjectProperties properties.NameProperty properties.DescriptionProperty IndicatorTypes []string `json:"indicator_types,omitempty"` Pattern string `json:"pattern,omitempty"` PatternType string `json:"pattern_type,omitempty"` PatternVersion string `json:"pattern_version,omitempty"` ValidFrom string `json:"valid_from,omitempty"` ValidUntil string `json:"valid_until,omitempty"` properties.KillChainPhasesProperty }
Indicator - This type implements the STIX 2 Indicator SDO and defines all of
the properties and methods needed to create and work with this object. All of the methods not defined local to this type are inherited from the individual properties.
func Decode ¶
Decode - This function is a simple wrapper for decoding JSON data. It will
decode a slice of bytes into an actual struct and return a pointer to that object along with any errors.
func New ¶
func New() *Indicator
New - This function will create a new STIX Indicator object and return it as
a pointer. It will also initialize the object by setting all of the basic properties.
func (*Indicator) AddTypes ¶ added in v0.6.1
AddTypes - This method takes in a string value, a comma separated list of
string values, or a slice of string values that represents an indicator type and adds it to the indicator types property. The values SHOULD come from the indicator-type-ov open vocabulary.
func (*Indicator) Compare ¶
Compare - This method will compare two objects to make sure they are the
same. The receiver is object 1 and the object passed in is object 2. This method will return a boolean, an integer that tracks the number of problems found, and a slice of strings that contain the detailed results, whether good or bad.
func (*Indicator) Encode ¶
Encode - This method is a simple wrapper for encoding an object into JSON
func (*Indicator) EncodeToString ¶
EncodeToString - This method is a simple wrapper for encoding an object into
JSON
func (*Indicator) GetPropertyList ¶ added in v0.6.1
GetProperties - This method will return a list of all of the properties that
are unique to this object. This is used by the custom UnmarshalJSON for this object. It is defined here in this file to make it easy to keep in sync.
func (*Indicator) SetPattern ¶
SetPattern - This method takes in a string value representing a complete and
valid STIX pattern and will set the pattern property to that value.
func (*Indicator) SetPatternType ¶ added in v0.6.1
SetPatternType - This method takes in a string representing the type of
pattern used in this indicator and will set the pattern_type property to that value. The value should be one of "stix", "snort", or "yara".
func (*Indicator) SetPatternVersion ¶ added in v0.6.1
SetPatternVersion - This method takes in a string representing the version of
the pattern used in this indicator and will set the pattern_version property to that value.
For patterns that do not have a formal specification, the build or code version that the pattern is known to work with SHOULD be used.
func (*Indicator) SetValidFrom ¶
SetValidFrom - This method will take in a timestamp in either time.Time or
string format and will set the valid_from property to that value.
func (*Indicator) SetValidFromToCurrentTime ¶
SetValidFromToCurrentTime - This method will set the valid_from timestamp to
the current time.
func (*Indicator) SetValidUntil ¶
SetValidUntil - This method will take in a timestamp in either time.Time or
string format and will set the valid_until property to that value.
func (*Indicator) SetValidUntilToCurrentTime ¶
SetValidUntilToCurrentTime - This method will set the valid_until time to the
current time.
func (*Indicator) UnmarshalJSON ¶ added in v0.6.1
UnmarshalJSON - This method will over write the default UnmarshalJSON method
to enable custom properties that this library does not know about. It will store them as map where the value of each key is a byte arrays. This way a tool that does know how to deal with them can then further process them after this is done. This will also allow the storage of the raw JSON data.
func (*Indicator) Valid ¶ added in v0.6.1
Valid - This method will verify and test all of the properties on an object
to make sure they are valid per the specification. It will return a boolean, an integer that tracks the number of problems found, and a slice of strings that contain the detailed results, whether good or bad.