stix_rs/
vocab.rs

1//! Vocabulary / enumerations for STIX
2
3use serde::{Deserialize, Serialize};
4
5/// Identity class vocabulary
6#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
7#[serde(rename_all = "kebab-case")]
8pub enum IdentityClass {
9    Individual,
10    Group,
11    System,
12    Organization,
13    Class,
14    Unspecified,
15}
16
17/// Indicator pattern types
18#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
19#[serde(rename_all = "kebab-case")]
20pub enum IndicatorPatternType {
21    Stix,
22    Pcre,
23    Snort,
24    Suricata,
25    Yara,
26}
27
28/// Hash algorithm vocabulary
29#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
30pub enum HashAlgorithm {
31    #[serde(rename = "md5")]
32    Md5,
33
34    #[serde(rename = "sha-1")]
35    Sha1,
36
37    #[serde(rename = "sha-256")]
38    Sha256,
39
40    #[serde(rename = "sha-512")]
41    Sha512,
42}
43
44/// Relationship types
45#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
46#[serde(rename_all = "kebab-case")]
47pub enum RelationshipType {
48    Targets,
49    Uses,
50    LocatedAt,
51    AttributedTo,
52    Indicates,
53    VariantOf,
54}
55
56/// Implementation Language vocabulary (for malware, tools, etc.)
57#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
58#[serde(rename_all = "kebab-case")]
59pub enum ImplementationLanguage {
60    Applescript,
61    Bash,
62    C,
63    #[serde(rename = "c++")]
64    Cpp,
65    #[serde(rename = "c#")]
66    Csharp,
67    Go,
68    Java,
69    Javascript,
70    Lua,
71    #[serde(rename = "objective-c")]
72    ObjectiveC,
73    Perl,
74    Php,
75    Powershell,
76    Python,
77    Ruby,
78    Scala,
79    Swift,
80    #[serde(rename = "typescript")]
81    TypeScript,
82    #[serde(rename = "visual-basic")]
83    VisualBasic,
84    #[serde(rename = "x86-32")]
85    X8632,
86    #[serde(rename = "x86-64")]
87    X8664,
88}
89
90/// Indicator Type vocabulary
91#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
92#[serde(rename_all = "kebab-case")]
93pub enum IndicatorType {
94    AnomalousActivity,
95    Anonymization,
96    Benign,
97    Compromised,
98    MaliciousActivity,
99    Attribution,
100    Unknown,
101}
102
103/// Malware Type vocabulary
104#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
105#[serde(rename_all = "kebab-case")]
106pub enum MalwareType {
107    Adware,
108    Backdoor,
109    Bot,
110    Bootkit,
111    #[serde(rename = "ddos")]
112    Ddos,
113    Downloader,
114    Dropper,
115    #[serde(rename = "exploit-kit")]
116    ExploitKit,
117    Keylogger,
118    Ransomware,
119    #[serde(rename = "remote-access-trojan")]
120    RemoteAccessTrojan,
121    ResourceExploitation,
122    Rogue,
123    Rootkit,
124    #[serde(rename = "screen-capture")]
125    ScreenCapture,
126    Spyware,
127    Trojan,
128    Virus,
129    Webshell,
130    Wiper,
131    Worm,
132}
133
134/// Threat Actor Type vocabulary
135#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
136#[serde(rename_all = "kebab-case")]
137pub enum ThreatActorType {
138    Activist,
139    Competitor,
140    #[serde(rename = "crime-syndicate")]
141    CrimeSyndicate,
142    Criminal,
143    Hacker,
144    #[serde(rename = "insider-accidental")]
145    InsiderAccidental,
146    #[serde(rename = "insider-disgruntled")]
147    InsiderDisgruntled,
148    #[serde(rename = "nation-state")]
149    NationState,
150    Sensationalist,
151    Spy,
152    Terrorist,
153    Unknown,
154}
155
156/// Threat Actor Role vocabulary
157#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
158#[serde(rename_all = "kebab-case")]
159pub enum ThreatActorRole {
160    Agent,
161    Director,
162    Independent,
163    Infrastructor,
164    Sponsor,
165}
166
167/// Threat Actor Sophistication vocabulary
168#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
169#[serde(rename_all = "kebab-case")]
170pub enum ThreatActorSophistication {
171    None,
172    Minimal,
173    Intermediate,
174    Advanced,
175    Expert,
176    Innovator,
177    Strategic,
178}
179
180/// Attack Motivation vocabulary
181#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
182#[serde(rename_all = "kebab-case")]
183pub enum AttackMotivation {
184    Accidental,
185    Coercion,
186    Dominance,
187    Ideology,
188    #[serde(rename = "notoriety")]
189    Notoriety,
190    #[serde(rename = "organizational-gain")]
191    OrganizationalGain,
192    #[serde(rename = "personal-gain")]
193    PersonalGain,
194    #[serde(rename = "personal-satisfaction")]
195    PersonalSatisfaction,
196    Revenge,
197    Unpredictable,
198}
199
200/// Attack Resource Level vocabulary
201#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
202#[serde(rename_all = "kebab-case")]
203pub enum AttackResourceLevel {
204    Individual,
205    Club,
206    Contest,
207    Team,
208    Organization,
209    Government,
210}
211
212/// Tool Type vocabulary
213#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
214#[serde(rename_all = "kebab-case")]
215pub enum ToolType {
216    #[serde(rename = "denial-of-service")]
217    DenialOfService,
218    Exploitation,
219    #[serde(rename = "information-gathering")]
220    InformationGathering,
221    #[serde(rename = "network-capture")]
222    NetworkCapture,
223    #[serde(rename = "credential-exploitation")]
224    CredentialExploitation,
225    #[serde(rename = "remote-access")]
226    RemoteAccess,
227    #[serde(rename = "vulnerability-scanning")]
228    VulnerabilityScanning,
229    Unknown,
230}
231
232/// Infrastructure Type vocabulary
233#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
234#[serde(rename_all = "kebab-case")]
235pub enum InfrastructureType {
236    #[serde(rename = "amplification")]
237    Amplification,
238    #[serde(rename = "anonymization")]
239    Anonymization,
240    #[serde(rename = "botnet")]
241    Botnet,
242    #[serde(rename = "command-and-control")]
243    CommandAndControl,
244    #[serde(rename = "exfiltration")]
245    Exfiltration,
246    #[serde(rename = "hosting-malware")]
247    HostingMalware,
248    #[serde(rename = "hosting-target-lists")]
249    HostingTargetLists,
250    #[serde(rename = "phishing")]
251    Phishing,
252    #[serde(rename = "reconnaissance")]
253    Reconnaissance,
254    #[serde(rename = "staging")]
255    Staging,
256    Unknown,
257}
258
259/// Report Type vocabulary
260#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
261#[serde(rename_all = "kebab-case")]
262pub enum ReportType {
263    #[serde(rename = "attack-pattern")]
264    AttackPattern,
265    Campaign,
266    Identity,
267    Indicator,
268    Intrusion,
269    Malware,
270    #[serde(rename = "observed-data")]
271    ObservedData,
272    #[serde(rename = "threat-actor")]
273    ThreatActor,
274    #[serde(rename = "threat-report")]
275    ThreatReport,
276    Tool,
277    Vulnerability,
278}
279
280/// Industry Sector vocabulary
281#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
282#[serde(rename_all = "kebab-case")]
283pub enum IndustrySector {
284    Agriculture,
285    Aerospace,
286    Automotive,
287    Chemical,
288    Commercial,
289    Communications,
290    Construction,
291    Defense,
292    Education,
293    Energy,
294    Entertainment,
295    #[serde(rename = "financial-services")]
296    FinancialServices,
297    Government,
298    #[serde(rename = "government-emergency-services")]
299    GovernmentEmergencyServices,
300    #[serde(rename = "government-local")]
301    GovernmentLocal,
302    #[serde(rename = "government-national")]
303    GovernmentNational,
304    #[serde(rename = "government-public-services")]
305    GovernmentPublicServices,
306    #[serde(rename = "government-regional")]
307    GovernmentRegional,
308    Healthcare,
309    #[serde(rename = "hospitality-leisure")]
310    HospitalityLeisure,
311    Infrastructure,
312    #[serde(rename = "infrastructure-dams")]
313    InfrastructureDams,
314    #[serde(rename = "infrastructure-nuclear")]
315    InfrastructureNuclear,
316    #[serde(rename = "infrastructure-water")]
317    InfrastructureWater,
318    Insurance,
319    Manufacturing,
320    Mining,
321    #[serde(rename = "non-profit")]
322    NonProfit,
323    Petroleum,
324    Pharmaceuticals,
325    Retail,
326    Technology,
327    Telecommunications,
328    Transportation,
329    Utilities,
330}
331
332/// Encryption Algorithm vocabulary
333#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
334#[serde(rename_all = "UPPERCASE")]
335pub enum EncryptionAlgorithm {
336    #[serde(rename = "AES-256-GCM")]
337    Aes256Gcm,
338    #[serde(rename = "ChaCha20-Poly1305")]
339    ChaCha20Poly1305,
340    #[serde(rename = "AES-128-GCM")]
341    Aes128Gcm,
342}
343
344#[cfg(test)]
345mod tests {
346    use super::*;
347    use serde_json;
348
349    #[test]
350    fn identity_class_serializes() {
351        let j = serde_json::to_string(&IdentityClass::System).unwrap();
352        assert_eq!(j, "\"system\"");
353
354        let j2 = serde_json::to_string(&IdentityClass::Unspecified).unwrap();
355        assert_eq!(j2, "\"unspecified\"");
356    }
357
358    #[test]
359    fn indicator_pattern_serializes() {
360        let j = serde_json::to_string(&IndicatorPatternType::Stix).unwrap();
361        assert_eq!(j, "\"stix\"");
362
363        let j2 = serde_json::to_string(&IndicatorPatternType::Yara).unwrap();
364        assert_eq!(j2, "\"yara\"");
365    }
366
367    #[test]
368    fn hash_algorithm_serializes() {
369        assert_eq!(
370            serde_json::to_string(&HashAlgorithm::Md5).unwrap(),
371            "\"md5\""
372        );
373        assert_eq!(
374            serde_json::to_string(&HashAlgorithm::Sha1).unwrap(),
375            "\"sha-1\""
376        );
377        assert_eq!(
378            serde_json::to_string(&HashAlgorithm::Sha256).unwrap(),
379            "\"sha-256\""
380        );
381        assert_eq!(
382            serde_json::to_string(&HashAlgorithm::Sha512).unwrap(),
383            "\"sha-512\""
384        );
385    }
386
387    #[test]
388    fn relationship_type_serializes() {
389        assert_eq!(
390            serde_json::to_string(&RelationshipType::Targets).unwrap(),
391            "\"targets\""
392        );
393        assert_eq!(
394            serde_json::to_string(&RelationshipType::LocatedAt).unwrap(),
395            "\"located-at\""
396        );
397        assert_eq!(
398            serde_json::to_string(&RelationshipType::AttributedTo).unwrap(),
399            "\"attributed-to\""
400        );
401    }
402
403    #[test]
404    fn implementation_language_serializes() {
405        assert_eq!(
406            serde_json::to_string(&ImplementationLanguage::Python).unwrap(),
407            "\"python\""
408        );
409        assert_eq!(
410            serde_json::to_string(&ImplementationLanguage::Cpp).unwrap(),
411            "\"c++\""
412        );
413        assert_eq!(
414            serde_json::to_string(&ImplementationLanguage::Csharp).unwrap(),
415            "\"c#\""
416        );
417        assert_eq!(
418            serde_json::to_string(&ImplementationLanguage::Javascript).unwrap(),
419            "\"javascript\""
420        );
421    }
422
423    #[test]
424    fn indicator_type_serializes() {
425        assert_eq!(
426            serde_json::to_string(&IndicatorType::MaliciousActivity).unwrap(),
427            "\"malicious-activity\""
428        );
429        assert_eq!(
430            serde_json::to_string(&IndicatorType::AnomalousActivity).unwrap(),
431            "\"anomalous-activity\""
432        );
433        assert_eq!(
434            serde_json::to_string(&IndicatorType::Unknown).unwrap(),
435            "\"unknown\""
436        );
437    }
438
439    #[test]
440    fn malware_type_serializes() {
441        assert_eq!(
442            serde_json::to_string(&MalwareType::Ransomware).unwrap(),
443            "\"ransomware\""
444        );
445        assert_eq!(
446            serde_json::to_string(&MalwareType::RemoteAccessTrojan).unwrap(),
447            "\"remote-access-trojan\""
448        );
449        assert_eq!(
450            serde_json::to_string(&MalwareType::Backdoor).unwrap(),
451            "\"backdoor\""
452        );
453    }
454
455    #[test]
456    fn threat_actor_type_serializes() {
457        assert_eq!(
458            serde_json::to_string(&ThreatActorType::NationState).unwrap(),
459            "\"nation-state\""
460        );
461        assert_eq!(
462            serde_json::to_string(&ThreatActorType::Criminal).unwrap(),
463            "\"criminal\""
464        );
465    }
466
467    #[test]
468    fn tool_type_serializes() {
469        assert_eq!(
470            serde_json::to_string(&ToolType::RemoteAccess).unwrap(),
471            "\"remote-access\""
472        );
473        assert_eq!(
474            serde_json::to_string(&ToolType::Exploitation).unwrap(),
475            "\"exploitation\""
476        );
477    }
478
479    #[test]
480    fn infrastructure_type_serializes() {
481        assert_eq!(
482            serde_json::to_string(&InfrastructureType::CommandAndControl).unwrap(),
483            "\"command-and-control\""
484        );
485        assert_eq!(
486            serde_json::to_string(&InfrastructureType::Botnet).unwrap(),
487            "\"botnet\""
488        );
489    }
490}
stix_rs/vocab.rs

stix_rs/
vocab.rs
