malware

package

v0.6.1 Latest Latest Go to latest Published: Jan 15, 2020 License: Apache-2.0 Imports: 6 Imported by: 2

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/freetaxii/libstix2

Links

Open Source Insights

Documentation ¶

Overview ¶

Package malware implements the STIX 2.1 Malware object.

The following information comes directly from the STIX 2.1 specification.

Malware is a type of TTP that represents malicious code. It generally refers to a program that is inserted into a system, usually covertly. The intent is to compromise the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or otherwise annoy or disrupt the victim.

The Malware SDO characterizes, identifies, and categorizes malware instances and families from data that may be derived from analysis. This SDO captures detailed information about how the malware works and what it does. This SDO captures contextual data relevant to sharing Malware data without requiring the full analysis provided by the Malware Analysis SDO.

The Indicator SDO provides intelligence producers with the ability to define, using the STIX Pattern Grammar in a standard way to identify and detect behaviors associated with malicious activities. Although the Malware SDO provides vital intelligence on a specific instance or malware family, it does not provide a standard grammar that the Indicator SDO provides to identify those properties in security detection systems designed to process the STIX Pattern grammar. We strongly encourage the use of STIX Indicators for the detection of actual malware, due to its use of the STIX Patterning language and the clear semantics that it provides.

To minimize the risk of a consumer compromising their system in parsing malware samples, producers SHOULD consider sharing defanged content (archive and password-protected samples) instead of raw, base64-encoded malware samples.

Index ¶

type Malware
- func Decode(data []byte) (*Malware, error)
- func New() *Malware

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Malware ¶

type Malware struct {
	objects.CommonObjectProperties
	properties.NameProperty
	properties.DescriptionProperty
	MalwareTypes []string `json:"malware_types,omitempty"`
	IsFamily     bool     `json:"is_family"`
	properties.AliasesProperty
	properties.KillChainPhasesProperty
	properties.SeenProperties
	OsExecutionEnvs           []string `json:"os_execution_envs,omitempty"`
	ArchitectureExecutionEnvs []string `json:"architecture_execution_envs,omitempty"`
	ImplementationLanguages   []string `json:"implementation_languages,omitempty"`
	Capabilities              []string `json:"capabilities,omitempty"`
	SampleRefs                []string `json:"sample_refs,omitempty"`
}

Malware - This type implements the STIX 2 Malware SDO and defines all of the

properties and methods needed to create and work with this object. All of the methods not defined local to this type are inherited from the individual properties.

func Decode ¶ added in v0.6.1

func Decode(data []byte) (*Malware, error)

Decode - This function is a simple wrapper for decoding JSON data. It will

decode a slice of bytes into an actual struct and return a pointer to that object along with any errors.

func New ¶

func New() *Malware

New - This function will create a new STIX Malware object and return

it as a pointer. It will also initialize the object by setting all of the basic properties.

func (*Malware) AddArchitectureExecutionEnvs ¶ added in v0.6.1

func (o *Malware) AddArchitectureExecutionEnvs(values interface{}) error

AddArchitectureExecutionEnvs - This method takes in a string value, a comma

separated list of string values, or a slice of string values that represents an architecture execution environment and adds it to the architecture execution envs property. The values SHOULD come from the processor-architecture-ov open vocabulary.

func (*Malware) AddCapabilities ¶ added in v0.6.1

func (o *Malware) AddCapabilities(values interface{}) error

AddCapabilities - This method takes in a string value, a comma separated list

of string values, or a slice of string values that represents a capability of this malware and adds it to the capabilities property. The values SHOULD come from the malware-capabilities-ov open vocabulary.

func (*Malware) AddImplementationLanguages ¶ added in v0.6.1

func (o *Malware) AddImplementationLanguages(values interface{}) error

AddImplementationLanguages - This method takes in a string value, a comma

separated list of string values, or a slice of string values that represents a programming language that this malware was implemented in and adds it to the implementation languages property. The values SHOULD come from the implementation-language-ov open vocabulary.

func (*Malware) AddOsExecutionEnvs ¶ added in v0.6.1

func (o *Malware) AddOsExecutionEnvs(values interface{}) error

AddOsExecutionEnvs - This method takes in a string value, a comma separated

list of string values, or a slice of string values that represents an os execution environment and adds it to the os execution envs property.

func (*Malware) AddSampleRefs ¶ added in v0.6.1

func (o *Malware) AddSampleRefs(values interface{}) error

AddSampleRefs - This method takes in a string value, a comma separated list

of string values, or a slice of string values that represents an id of a sco file or artifact object associated with this malware and adds it to the sample refs property.

func (*Malware) AddTypes ¶ added in v0.6.1

func (o *Malware) AddTypes(values interface{}) error

AddTypes - This method takes in a string value, a comma separated list of

string values, or a slice of string values that represents a malware type and adds it to the malware types property. The values SHOULD come from the malware-type-ov open vocabulary.

func (*Malware) Encode ¶ added in v0.6.1

func (o *Malware) Encode() ([]byte, error)

Encode - This method is a simple wrapper for encoding an object into JSON

func (*Malware) EncodeToString ¶ added in v0.6.1

func (o *Malware) EncodeToString() (string, error)

EncodeToString - This method is a simple wrapper for encoding an object into

JSON

func (*Malware) GetPropertyList ¶ added in v0.6.1

func (o *Malware) GetPropertyList() []string

GetProperties - This method will return a list of all of the properties that

are unique to this object. This is used by the custom UnmarshalJSON for this object. It is defined here in this file to make it easy to keep in sync.

func (*Malware) SetIsFamily ¶ added in v0.6.1

func (o *Malware) SetIsFamily() error

SetIsFamily - This method sets the is family property to true.

func (*Malware) UnmarshalJSON ¶ added in v0.6.1

func (o *Malware) UnmarshalJSON(b []byte) error

UnmarshalJSON - This method will over write the default UnmarshalJSON method

to enable custom properties that this library does not know about. It will store them as map where the value of each key is a byte arrays. This way a tool that does know how to deal with them can then further process them after this is done. This will also allow the storage of the raw JSON data.

func (*Malware) Valid ¶ added in v0.6.1

func (o *Malware) Valid() (bool, int, []string)

Valid - This method will verify and test all of the properties on an object

to make sure they are valid per the specification. It will return a boolean, an integer that tracks the number of problems found, and a slice of strings that contain the detailed results, whether good or bad.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL