stix/
vocab.rs

1//! Types for working with STIX vocabularies.
2//!
3//! From the [specification](https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_vbsdt43uxrv0):
4//!
5//! > Some STIX properties are defined using open vocabularies or enumerations.
6//! > Enumerations and open vocabularies are defined in STIX in order to enhance interoperability
7//! > by increasing the likelihood that different entities use the same exact string to represent
8//! > the same concept. If used consistently, open vocabularies make it less likely that one entity
9//! > refers to the energy sector as “Energy” and another as “Energy Sector”, thereby making comparison
10//! > and correlation easier.
11
12//! An open STIX vocabulary. Vocabularies improver correlation across threat intel from different sources
13//! by ensuring exact string equality whenever there is semantic equality.
14pub trait Vocabulary {
15    /// The vocabulary identifier. This is typically a kebab-case string ending in `-ov`, e.g. `account-type-ov`.
16    const TYPE: &'static str;
17
18    /// Whether the contained string is a known value of the vocabulary.
19    fn is_known_value(&self) -> bool;
20}
21
22stix_derive::vocabulary!(
23    #[vocabulary(core)]
24    AccountType = [
25        facebook,
26        ldap,
27        nis,
28        openid,
29        radius,
30        skype,
31        tacacs,
32        twitter,
33        unix,
34        windows_local,
35        windows_domain
36    ]
37);
38
39stix_derive::vocabulary!(
40    #[vocabulary(core)]
41    AttackMotivation = [
42        accidental,
43        coercion,
44        dominance,
45        ideology,
46        notoriety,
47        organizational_gain,
48        personal_gain,
49        personal_satisfaction,
50        revenge,
51        unpredictable
52    ]
53);
54
55stix_derive::vocabulary!(
56    #[vocabulary(core)]
57    AttackResourceLevel = [individual, club, contest, team, organization, government]
58);
59
60stix_derive::vocabulary!(
61    #[vocabulary(core)]
62    ImplementationLanguage = [
63        applescript,
64        bash,
65        c,
66        c_plus_plus = "c++",
67        c_sharp = "c#",
68        go,
69        java,
70        javascript,
71        lua,
72        objective_c,
73        perl,
74        php,
75        powershell,
76        python,
77        ruby,
78        scala,
79        swift,
80        typescript,
81        visual_basic,
82        x86_32,
83        x86_64
84    ]
85);
86
87stix_derive::vocabulary!(
88    #[vocabulary(core)]
89    MalwareCapabilities = [
90        accesses_remote_machines,
91        anti_debugging,
92        anti_disassembly,
93        anti_emulation,
94        anti_memory_forensics,
95        anti_sandbox,
96        anti_vm,
97        captures_input_peripherals,
98        captures_output_peripherals,
99        captures_system_state_data,
100        cleans_traces_of_infection,
101        commits_fraud,
102        communicates_with_c2,
103        compromises_data_availability,
104        compromises_data_integrity,
105        compromises_system_availability,
106        controls_local_machine,
107        degrades_security_software,
108        degrades_system_updates,
109        determines_c2_server,
110        emails_spam,
111        escalates_privileges,
112        evades_av,
113        exfiltrates_data,
114        fingerprints_host,
115        hides_artifacts,
116        hides_executing_code,
117        infects_files,
118        infects_remote_machines,
119        installs_other_components,
120        persists_after_system_reboot,
121        prevents_artifact_access,
122        prevents_artifact_deletion,
123        probes_network_environment,
124        self_modifies,
125        steals_authentication_credentials,
126        violates_system_operational_integrity
127    ]
128);
129
130stix_derive::vocabulary!(
131    #[vocabulary(core)]
132    MalwareType = [
133        adware,
134        backdoor,
135        bot,
136        bootkit,
137        ddos,
138        downloader,
139        dropper,
140        exploit_kit,
141        keylogger,
142        ransomware,
143        remote_access_trojan,
144        resource_exploitation,
145        rogue_security_software,
146        rootkit,
147        screen_capture,
148        spyware,
149        trojan,
150        unknown,
151        virus,
152        webshell,
153        wiper,
154        worm
155    ]
156);
157
158stix_derive::vocabulary!(
159    #[vocabulary(core)]
160    ProcessorArchitecture = [alpha, arm, ia_64, mips, powerpc, sparc, x86, x86_64]
161);
stix/vocab.rs

stix/
vocab.rs
