maec/
vocab.rs

1//! MAEC 5.0 Open Vocabularies
2//!
3//! This module provides type-safe enumerations for all MAEC 5.0 open vocabularies,
4//! ensuring 100% compliance with the MAEC specification.
5
6use serde::{Deserialize, Serialize};
7
8/// Analysis conclusion types
9#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
10#[serde(rename_all = "kebab-case")]
11pub enum AnalysisConclusionType {
12    /// The analyzed entity is benign
13    Benign,
14    /// The analyzed entity is malicious
15    Malicious,
16    /// The analyzed entity is suspicious
17    Suspicious,
18    /// The conclusion is indeterminate
19    Indeterminate,
20}
21
22/// Analysis environment properties
23#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
24#[serde(rename_all = "kebab-case")]
25pub enum AnalysisEnvironment {
26    /// Operating system property
27    OperatingSystem,
28    /// Host VM property
29    HostVm,
30    /// Installed software property
31    InstalledSoftware,
32}
33
34/// Malware analysis types
35#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
36#[serde(rename_all = "kebab-case")]
37pub enum AnalysisType {
38    /// Static analysis
39    Static,
40    /// Dynamic analysis
41    Dynamic,
42    /// Combination of static and dynamic
43    Combination,
44}
45
46/// Confidence measure levels (aligned with STIX HighMediumLow vocabulary)
47#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
48#[serde(rename_all = "kebab-case")]
49pub enum ConfidenceMeasure {
50    /// Low confidence
51    Low,
52    /// Medium confidence
53    Medium,
54    /// High confidence
55    High,
56    /// No confidence
57    None,
58    /// Unknown confidence
59    Unknown,
60}
61
62/// Processor architectures
63#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
64#[serde(rename_all = "kebab-case")]
65pub enum ProcessorArchitecture {
66    /// x86 32-bit architecture
67    X86,
68    /// x86-64 (AMD64) architecture
69    #[serde(rename = "x86-64")]
70    X8664,
71    /// Intel IA-64 architecture
72    #[serde(rename = "ia-64")]
73    Ia64,
74    /// PowerPC architecture
75    PowerPc,
76    /// ARM architecture
77    Arm,
78    /// Alpha architecture
79    Alpha,
80    /// SPARC architecture
81    Sparc,
82    /// MIPS architecture
83    Mips,
84}
85
86/// Binary obfuscation methods
87#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
88#[serde(rename_all = "kebab-case")]
89pub enum ObfuscationMethod {
90    /// Packing/compression
91    Packing,
92    /// Code encryption
93    CodeEncryption,
94    /// Dead code insertion
95    DeadCodeInsertion,
96    /// Entry point obfuscation
97    EntryPointObfuscation,
98    /// Import address table obfuscation
99    ImportAddressTableObfuscation,
100    /// Interleaving code
101    InterleavingCode,
102    /// Symbolic obfuscation
103    SymbolicObfuscation,
104    /// String obfuscation
105    StringObfuscation,
106    /// Subroutine reordering
107    SubroutineReordering,
108    /// Code transposition
109    CodeTransposition,
110    /// Instruction substitution
111    InstructionSubstitution,
112    /// Register reassignment
113    RegisterReassignment,
114}
115
116// Helper macro for creating large string-based enums
117macro_rules! string_enum {
118    (
119        $(#[$meta:meta])*
120        $vis:vis enum $name:ident {
121            $(
122                $(#[$variant_meta:meta])*
123                $variant:ident => $value:expr
124            ),* $(,)?
125        }
126    ) => {
127        $(#[$meta])*
128        #[derive(Debug, Clone, PartialEq, Eq, Hash, Serialize, Deserialize)]
129        #[serde(rename_all = "kebab-case")]
130        $vis enum $name {
131            $(
132                $(#[$variant_meta])*
133                #[serde(rename = $value)]
134                $variant,
135            )*
136        }
137    };
138}
139
140string_enum! {
141    /// Delivery/infection vectors
142    pub enum DeliveryVector {
143        ActiveAttacker => "active-attacker",
144        AutoExecutingMedia => "auto-executing-media",
145        Downloader => "downloader",
146        Dropper => "dropper",
147        EmailAttachment => "email-attachment",
148        ExploitKitLandingPage => "exploit-kit-landing-page",
149        FakeWebsite => "fake-website",
150        JanitorAttack => "janitor-attack",
151        MaliciousIframes => "malicious-iframes",
152        Malvertising => "malvertising",
153        MediaBaiting => "media-baiting",
154        Pharming => "pharming",
155        Phishing => "phishing",
156        TrojanizedLink => "trojanized-link",
157        TrojanizedSoftware => "trojanized-software",
158        UsbCableSyncing => "usb-cable-syncing",
159        WateringHole => "watering-hole",
160    }
161}
162
163string_enum! {
164    /// Common malware labels
165    pub enum MalwareLabel {
166        Adware => "adware",
167        Appender => "appender",
168        Backdoor => "backdoor",
169        BootSectorVirus => "boot-sector-virus",
170        Bot => "bot",
171        CavityFiller => "cavity-filler",
172        Clicker => "clicker",
173        CompanionVirus => "companion-virus",
174        DataDiddler => "data-diddler",
175        Downloader => "downloader",
176        DropperFile => "dropper-file",
177        FileInfectorVirus => "file-infector-virus",
178        ForkBomb => "fork-bomb",
179        Greyware => "greyware",
180        Implant => "implant",
181        Infector => "infector",
182        JokeProgram => "joke-program",
183        Keylogger => "keylogger",
184        KleptographicWorm => "kleptographic-worm",
185        MacroVirus => "macro-virus",
186        MassMailer => "mass-mailer",
187        MetamorphicVirus => "metamorphic-virus",
188        MidInfector => "mid-infector",
189        MobileCode => "mobile-code",
190        MultipartiteVirus => "multipartite-virus",
191        ParentalControl => "parental-control",
192        PasswordStealer => "password-stealer",
193        PolymorphicVirus => "polymorphic-virus",
194        PremiumDialerOrSmser => "premium-dialer-or-smser",
195        Prepender => "prepender",
196        Ransomware => "ransomware",
197        RogueAntiMalware => "rogue-anti-malware",
198        Rootkit => "rootkit",
199        Scareware => "scareware",
200        SecurityAssessmentTool => "security-assessment-tool",
201        Shellcode => "shellcode",
202        SpaghettiPacker => "spaghetti-packer",
203        Spyware => "spyware",
204        Trackware => "trackware",
205        TrojanHorse => "trojan-horse",
206        Virus => "virus",
207        WebBug => "web-bug",
208        Wiper => "wiper",
209        Worm => "worm",
210    }
211}
212
213string_enum! {
214    /// MAEC entity association types
215    pub enum EntityAssociation {
216        FileSystemEntities => "file-system-entities",
217        NetworkEntities => "network-entities",
218        ProcessEntities => "process-entities",
219        MemoryEntities => "memory-entities",
220        IpcEntities => "ipc-entities",
221        DeviceEntities => "device-entities",
222        RegistryEntities => "registry-entities",
223        ServiceEntities => "service-entities",
224        PotentialIndicators => "potential-indicators",
225        SameMalwareFamily => "same-malware-family",
226        ClusteredTogether => "clustered-together",
227        ObservedTogether => "observed-together",
228        PartOfIntrusionSet => "part-of-intrusion-set",
229        SameMalwareToolkit => "same-malware-toolkit",
230    }
231}
232
233/// Allow using string slices directly for vocabularies
234impl AsRef<str> for DeliveryVector {
235    fn as_ref(&self) -> &str {
236        match self {
237            DeliveryVector::ActiveAttacker => "active-attacker",
238            DeliveryVector::AutoExecutingMedia => "auto-executing-media",
239            DeliveryVector::Downloader => "downloader",
240            DeliveryVector::Dropper => "dropper",
241            DeliveryVector::EmailAttachment => "email-attachment",
242            DeliveryVector::ExploitKitLandingPage => "exploit-kit-landing-page",
243            DeliveryVector::FakeWebsite => "fake-website",
244            DeliveryVector::JanitorAttack => "janitor-attack",
245            DeliveryVector::MaliciousIframes => "malicious-iframes",
246            DeliveryVector::Malvertising => "malvertising",
247            DeliveryVector::MediaBaiting => "media-baiting",
248            DeliveryVector::Pharming => "pharming",
249            DeliveryVector::Phishing => "phishing",
250            DeliveryVector::TrojanizedLink => "trojanized-link",
251            DeliveryVector::TrojanizedSoftware => "trojanized-software",
252            DeliveryVector::UsbCableSyncing => "usb-cable-syncing",
253            DeliveryVector::WateringHole => "watering-hole",
254        }
255    }
256}
257
258impl AsRef<str> for MalwareLabel {
259    fn as_ref(&self) -> &str {
260        match self {
261            MalwareLabel::Adware => "adware",
262            MalwareLabel::Appender => "appender",
263            MalwareLabel::Backdoor => "backdoor",
264            MalwareLabel::BootSectorVirus => "boot-sector-virus",
265            MalwareLabel::Bot => "bot",
266            MalwareLabel::CavityFiller => "cavity-filler",
267            MalwareLabel::Clicker => "clicker",
268            MalwareLabel::CompanionVirus => "companion-virus",
269            MalwareLabel::DataDiddler => "data-diddler",
270            MalwareLabel::Downloader => "downloader",
271            MalwareLabel::DropperFile => "dropper-file",
272            MalwareLabel::FileInfectorVirus => "file-infector-virus",
273            MalwareLabel::ForkBomb => "fork-bomb",
274            MalwareLabel::Greyware => "greyware",
275            MalwareLabel::Implant => "implant",
276            MalwareLabel::Infector => "infector",
277            MalwareLabel::JokeProgram => "joke-program",
278            MalwareLabel::Keylogger => "keylogger",
279            MalwareLabel::KleptographicWorm => "kleptographic-worm",
280            MalwareLabel::MacroVirus => "macro-virus",
281            MalwareLabel::MassMailer => "mass-mailer",
282            MalwareLabel::MetamorphicVirus => "metamorphic-virus",
283            MalwareLabel::MidInfector => "mid-infector",
284            MalwareLabel::MobileCode => "mobile-code",
285            MalwareLabel::MultipartiteVirus => "multipartite-virus",
286            MalwareLabel::ParentalControl => "parental-control",
287            MalwareLabel::PasswordStealer => "password-stealer",
288            MalwareLabel::PolymorphicVirus => "polymorphic-virus",
289            MalwareLabel::PremiumDialerOrSmser => "premium-dialer-or-smser",
290            MalwareLabel::Prepender => "prepender",
291            MalwareLabel::Ransomware => "ransomware",
292            MalwareLabel::RogueAntiMalware => "rogue-anti-malware",
293            MalwareLabel::Rootkit => "rootkit",
294            MalwareLabel::Scareware => "scareware",
295            MalwareLabel::SecurityAssessmentTool => "security-assessment-tool",
296            MalwareLabel::Shellcode => "shellcode",
297            MalwareLabel::SpaghettiPacker => "spaghetti-packer",
298            MalwareLabel::Spyware => "spyware",
299            MalwareLabel::Trackware => "trackware",
300            MalwareLabel::TrojanHorse => "trojan-horse",
301            MalwareLabel::Virus => "virus",
302            MalwareLabel::WebBug => "web-bug",
303            MalwareLabel::Wiper => "wiper",
304            MalwareLabel::Worm => "worm",
305        }
306    }
307}
308
309#[cfg(test)]
310mod tests {
311    use super::*;
312
313    #[test]
314    fn test_analysis_conclusion_serde() {
315        let conclusion = AnalysisConclusionType::Malicious;
316        let json = serde_json::to_string(&conclusion).unwrap();
317        assert_eq!(json, "\"malicious\"");
318
319        let deserialized: AnalysisConclusionType = serde_json::from_str(&json).unwrap();
320        assert_eq!(conclusion, deserialized);
321    }
322
323    #[test]
324    fn test_delivery_vector_serde() {
325        let vector = DeliveryVector::EmailAttachment;
326        let json = serde_json::to_string(&vector).unwrap();
327        assert_eq!(json, "\"email-attachment\"");
328
329        let deserialized: DeliveryVector = serde_json::from_str(&json).unwrap();
330        assert_eq!(vector, deserialized);
331    }
332
333    #[test]
334    fn test_malware_label_serde() {
335        let label = MalwareLabel::Ransomware;
336        let json = serde_json::to_string(&label).unwrap();
337        assert_eq!(json, "\"ransomware\"");
338
339        let deserialized: MalwareLabel = serde_json::from_str(&json).unwrap();
340        assert_eq!(label, deserialized);
341    }
342
343    #[test]
344    fn test_processor_arch_serde() {
345        let arch = ProcessorArchitecture::X8664;
346        let json = serde_json::to_string(&arch).unwrap();
347        assert_eq!(json, "\"x86-64\"");
348
349        let deserialized: ProcessorArchitecture = serde_json::from_str(&json).unwrap();
350        assert_eq!(arch, deserialized);
351    }
352}
maec/vocab.rs

maec/
vocab.rs
