File Coverage

blib/lib/STIX.pm

Criterion	Covered	Total	%
statement	266	273	97.4
branch			n/a
condition			n/a
subroutine	127	134	94.7
pod	64	64	100.0
total	457	471	97.0

line	stmt	sub	pod	time	code
1					package STIX;
2
3	24	24		2952399	use 5.010001;
	24			95
4	24	24		184	use strict;
	24			47
	24			886
5	24	24		123	use warnings;
	24			47
	24			1528
6	24	24		10903	use utf8;
	24			6528
	24			170
7
8	24	24		1175	use Exporter qw(import);
	24			48
	24			994
9
10
11					# STIX Domain Objects
12	24	24		11725	use STIX::AttackPattern;
	24			127
	24			1355
13	24	24		15309	use STIX::Campaign;
	24			738
	24			1922
14	24	24		18128	use STIX::CourseOfAction;
	24			114
	24			1227
15	24	24		14621	use STIX::Grouping;
	24			138
	24			1476
16	24	24		16319	use STIX::Identity;
	24			128
	24			1298
17	24	24		15817	use STIX::Incident;
	24			110
	24			1144
18	24	24		14377	use STIX::Indicator;
	24			139
	24			1314
19	24	24		16408	use STIX::Infrastructure;
	24			142
	24			1487
20	24	24		18751	use STIX::IntrusionSet;
	24			156
	24			1553
21	24	24		16479	use STIX::Location;
	24			160
	24			1667
22	24	24		16940	use STIX::Malware;
	24			146
	24			1466
23	24	24		15593	use STIX::MalwareAnalysis;
	24			147
	24			1352
24	24	24		14563	use STIX::Note;
	24			123
	24			1497
25	24	24		15352	use STIX::ObservedData;
	24			132
	24			1313
26	24	24		14399	use STIX::Opinion;
	24			128
	24			1224
27	24	24		14649	use STIX::Report;
	24			142
	24			1345
28	24	24		15520	use STIX::ThreatActor;
	24			146
	24			1554
29	24	24		16372	use STIX::Tool;
	24			179
	24			1324
30	24	24		14543	use STIX::Vulnerability;
	24			140
	24			1219
31
32					# STIX Cyber-observable Objects
33	24	24		14559	use STIX::Observable::Artifact;
	24			131
	24			1260
34	24	24		16094	use STIX::Observable::AutonomousSystem;
	24			116
	24			1204
35	24	24		14648	use STIX::Observable::Directory;
	24			145
	24			1415
36	24	24		15129	use STIX::Observable::DomainName;
	24			137
	24			1379
37	24	24		15376	use STIX::Observable::EmailAddr;
	24			124
	24			1212
38	24	24		14364	use STIX::Observable::EmailMessage;
	24			167
	24			1336
39	24	24		15656	use STIX::Observable::File;
	24			2914
	24			3088
40	24	24		15312	use STIX::Observable::IPv4Addr;
	24			134
	24			1253
41	24	24		14646	use STIX::Observable::IPv6Addr;
	24			175
	24			1206
42	24	24		14453	use STIX::Observable::MACAddr;
	24			113
	24			5983
43	24	24		12663	use STIX::Observable::Mutex;
	24			137
	24			1120
44	24	24		13629	use STIX::Observable::NetworkTraffic;
	24			157
	24			1454
45	24	24		15895	use STIX::Observable::Process;
	24			142
	24			1440
46	24	24		15111	use STIX::Observable::Software;
	24			132
	24			1338
47	24	24		15083	use STIX::Observable::URL;
	24			113
	24			1287
48	24	24		14781	use STIX::Observable::UserAccount;
	24			158
	24			1404
49	24	24		15547	use STIX::Observable::WindowsRegistryKey;
	24			123
	24			1376
50	24	24		16807	use STIX::Observable::X509Certificate;
	24			195
	24			1403
51
52					## Types
53	24	24		16616	use STIX::Observable::Type::AlternateDataStream;
	24			115
	24			1253
54	24	24		14997	use STIX::Observable::Type::EmailMIMEPart;
	24			136
	24			1416
55	24	24		16212	use STIX::Observable::Type::WindowsRegistryValue;
	24			131
	24			1216
56	24	24		15981	use STIX::Observable::Type::X509V3Extensions;
	24			154
	24			1368
57
58					## Extensions
59	24	24		15824	use STIX::Observable::Extension::Archive;
	24			126
	24			1221
60	24	24		16302	use STIX::Observable::Extension::HTTPRequest;
	24			131
	24			1392
61	24	24		15171	use STIX::Observable::Extension::ICMP;
	24			141
	24			1177
62	24	24		14589	use STIX::Observable::Extension::NTFS;
	24			135
	24			1181
63	24	24		14866	use STIX::Observable::Extension::PDF;
	24			143
	24			1208
64	24	24		14992	use STIX::Observable::Extension::RasterImage;
	24			120
	24			1174
65	24	24		15320	use STIX::Observable::Extension::Socket;
	24			150
	24			1314
66	24	24		15827	use STIX::Observable::Extension::TCP;
	24			134
	24			1255
67	24	24		15245	use STIX::Observable::Extension::UnixAccount;
	24			123
	24			1218
68	24	24		16049	use STIX::Observable::Extension::WindowsProcess;
	24			143
	24			1293
69	24	24		17723	use STIX::Observable::Extension::WindowsService;
	24			165
	24			1280
70
71					# STIX Relationship Objects
72	24	24		16575	use STIX::Relationship;
	24			144
	24			1411
73	24	24		15668	use STIX::Sighting;
	24			138
	24			1413
74
75					# Common
76	24	24		16673	use STIX::Common::Bundle;
	24			127
	24			1304
77	24	24		15705	use STIX::Common::ExtensionDefinition;
	24			142
	24			1384
78	24	24		15960	use STIX::Common::ExternalReference;
	24			134
	24			1364
79	24	24		18581	use STIX::Common::GranularMarking;
	24			136
	24			1274
80	24	24		16518	use STIX::Common::KillChainPhase;
	24			144
	24			1236
81	24	24		16651	use STIX::Common::MarkingDefinition;
	24			127
	24			2130
82
83					# TLP - Traffic Light Protocol
84	24	24		15256	use STIX::Marking::TLP::White;
	24			160
	24			1257
85	24	24		16393	use STIX::Marking::TLP::Green;
	24			117
	24			1257
86	24	24		15590	use STIX::Marking::TLP::Amber;
	24			112
	24			1269
87	24	24		15086	use STIX::Marking::TLP::Red;
	24			173
	24			10130
88
89
90					my @SDO = (qw[
91					attack_pattern
92					campaign
93					course_of_action
94					grouping
95					identity
96					incident
97					indicator
98					infrastructure
99					intrusion_set
100					location
101					malware
102					malware_analysis
103					note
104					observed_data
105					opinion
106					report
107					threat_actor
108					tool
109					vulnerability
110					]);
111
112					my @SCO = (qw[
113					alternate_data_stream_type
114					archive_ext
115					artifact
116					autonomous_system
117					directory
118					domain_name
119					email_addr
120					email_message
121					email_mime_component_type
122					file
123					http_request_ext
124					icmp_ext
125					ipv4_addr
126					ipv6_addr
127					mac_addr
128					mutex
129					network_traffic
130					ntfs_ext
131					pdf_ext
132					process
133					raster_image_ext
134					socket_ext
135					software
136					tcp_ext
137					unix_account_ext
138					url
139					user_account
140					windows_process_ext
141					windows_registry_key
142					windows_registry_value_type
143					windows_service_ext
144					x509_certificate
145					x509_v3_extensions_type
146					]);
147
148					my @SRO = (qw[
149					relationship
150					sighting
151					]);
152
153					my @TLP = (qw[
154					tlp_white
155					tlp_green
156					tlp_amber
157					tlp_red
158					]);
159
160					my @COMMON = (qw[
161					bundle
162					extension_definition
163					external_reference
164					kill_chain_phase
165					marking_definition
166					]);
167
168					our $VERSION = '1.01';
169					$VERSION =~ tr/_//d; ## no critic
170
171					our %EXPORT_TAGS = (
172					all => [@COMMON, @SDO, @SRO, @SCO, @TLP],
173					common => \@COMMON,
174					sco => \@SCO,
175					sdo => \@SDO,
176					sro => \@SRO,
177					tlp => \@TLP,
178					);
179
180
181					Exporter::export_ok_tags('all');
182					Exporter::export_ok_tags('common');
183					Exporter::export_ok_tags('sco');
184					Exporter::export_ok_tags('sdo');
185					Exporter::export_ok_tags('sro');
186					Exporter::export_ok_tags('tlp');
187
188
189	24	24		223	use constant SCO_NAMESPACE => '00abedb4-aa42-466c-9c01-fed23315a9b7';
	24			60
	24			46225
190
191
192					# STIX Domain Objects
193	13	13	1	371	sub attack_pattern { STIX::AttackPattern->new(@_) }
194	7	7	1	258	sub campaign { STIX::Campaign->new(@_) }
195	3	3	1	81	sub course_of_action { STIX::CourseOfAction->new(@_) }
196	1	1	1	14	sub grouping { STIX::Grouping->new(@_) }
197	10	10	1	276	sub identity { STIX::Identity->new(@_) }
198	1	1	1	14	sub incident { STIX::Incident->new(@_) }
199	45	45	1	1486	sub indicator { STIX::Indicator->new(@_) }
200	3	3	1	109	sub infrastructure { STIX::Infrastructure->new(@_) }
201	3	3	1	48	sub intrusion_set { STIX::IntrusionSet->new(@_) }
202	3	3	1	49	sub location { STIX::Location->new(@_) }
203	38	38	1	1322	sub malware { STIX::Malware->new(@_) }
204	1	1	1	17	sub malware_analysis { STIX::MalwareAnalysis->new(@_) }
205	1	1	1	13	sub note { STIX::Note->new(@_) }
206	2	2	1	64	sub observed_data { STIX::ObservedData->new(@_) }
207	1	1	1	15	sub opinion { STIX::Opinion->new(@_) }
208	4	4	1	97	sub report { STIX::Report->new(@_) }
209	6	6	1	149	sub threat_actor { STIX::ThreatActor->new(@_) }
210	11	11	1	212	sub tool { STIX::Tool->new(@_) }
211	8	8	1	5260	sub vulnerability { STIX::Vulnerability->new(@_) }
212
213					# STIX Relationship Objects
214	137	137	1	3255	sub relationship { STIX::Relationship->new(@_) }
215	3	3	1	100	sub sighting { STIX::Sighting->new(@_) }
216
217					# STIX Common
218	12	12	1	409	sub bundle { STIX::Common::Bundle->new(@_) }
219	0	0	1	0	sub extension_definition { STIX::Common::ExtensionDefinition->new(@_) }
220	24	24	1	415201	sub external_reference { STIX::Common::ExternalReference->new(@_) }
221	0	0	1	0	sub granular_marking { STIX::Common::GranularMarking->new(@_) }
222	26	26	1	610	sub kill_chain_phase { STIX::Common::KillChainPhase->new(@_) }
223	0	0	1	0	sub marking_definition { STIX::Common::MarkingDefinition->new(@_) }
224
225					# STIX Cyber-observable Objects
226	3	3	1	98	sub artifact { STIX::Observable::Artifact->new(@_) }
227	1	1	1	19	sub autonomous_system { STIX::Observable::AutonomousSystem->new(@_) }
228	4	4	1	151	sub directory { STIX::Observable::Directory->new(@_) }
229	6	6	1	382514	sub domain_name { STIX::Observable::DomainName->new(@_) }
230	6	6	1	340	sub email_addr { STIX::Observable::EmailAddr->new(@_) }
231	2	2	1	72	sub email_message { STIX::Observable::EmailMessage->new(@_) }
232	18	18	1	835	sub file { STIX::Observable::File->new(@_) }
233	31	31	1	1173437	sub ipv4_addr { STIX::Observable::IPv4Addr->new(@_) }
234	4	4	1	695552	sub ipv6_addr { STIX::Observable::IPv6Addr->new(@_) }
235	2	2	1	431764	sub mac_addr { STIX::Observable::MACAddr->new(@_) }
236	2	2	1	377001	sub mutex { STIX::Observable::Mutex->new(@_) }
237	13	13	1	488	sub network_traffic { STIX::Observable::NetworkTraffic->new(@_) }
238	6	6	1	6432	sub process { STIX::Observable::Process->new(@_) }
239	2	2	1	331976	sub software { STIX::Observable::Software->new(@_) }
240	2	2	1	302201	sub url { STIX::Observable::URL->new(@_) }
241	6	6	1	761184	sub user_account { STIX::Observable::UserAccount->new(@_) }
242	4	4	1	414370	sub windows_registry_key { STIX::Observable::WindowsRegistryKey->new(@_) }
243	4	4	1	289022	sub x509_certificate { STIX::Observable::X509Certificate->new(@_) }
244
245					## Types
246	1	1	1	15	sub alternate_data_stream_type { STIX::Observable::Type::AlternateDataStream->new(@_) }
247	3	3	1	81	sub email_mime_part_type { STIX::Observable::Type::EmailMIMEPart->new(@_) }
248	4	4	1	333853	sub windows_registry_value_type { STIX::Observable::Type::WindowsRegistryValue->new(@_) }
249	2	2	1	364549	sub x509_v3_extensions_type { STIX::Observable::Type::X509V3Extensions->new(@_) }
250
251					## Extensions
252	1	1	1	17	sub archive_ext { STIX::Observable::Extension::Archive->new(@_) }
253	1	1	1	15	sub http_request_ext { STIX::Observable::Extension::HTTPRequest->new(@_) }
254	1	1	1	20	sub icmp_ext { STIX::Observable::Extension::ICMP->new(@_) }
255	1	1	1	10	sub ntfs_ext { STIX::Observable::Extension::NTFS->new(@_) }
256	1	1	1	19	sub pdf_ext { STIX::Observable::Extension::PDF->new(@_) }
257	1	1	1	18	sub raster_image_ext { STIX::Observable::Extension::RasterImage->new(@_) }
258	1	1	1	47	sub socket_ext { STIX::Observable::Extension::Socket->new(@_) }
259	1	1	1	19	sub tcp_ext { STIX::Observable::Extension::TCP->new(@_) }
260	2	2	1	329234	sub unix_account_ext { STIX::Observable::Extension::UnixAccount->new(@_) }
261	2	2	1	413819	sub windows_process_ext { STIX::Observable::Extension::WindowsProcess->new(@_) }
262	2	2	1	47	sub windows_service_ext { STIX::Observable::Extension::WindowsService->new(@_) }
263
264					# TLP
265	0	0	1		sub tlp_white { STIX::Marking::TLP::White->new(@_) }
266	0	0	1		sub tlp_green { STIX::Marking::TLP::Green->new(@_) }
267	0	0	1		sub tlp_amber { STIX::Marking::TLP::Amber->new(@_) }
268	0	0	1		sub tlp_red { STIX::Marking::TLP::Red->new(@_) }
269
270
271					1;
272
273					=encoding utf-8
274
275					=head1 NAME
276
277					STIX - Structured Threat Information Expression (STIX)
278
279					=head1 SYNOPSIS
280
281					# Object-Oriented interface
282
283					use STIX::Indicator;
284					use STIX::Common::Timestamp;
285					use STIX::Common::Bundle;
286
287					my $bundle = STIX::Common::Bundle->new;
288
289					push @{ $bundle->objects }, STIX::Indicator->new(
290					pattern_type => 'stix',
291					created => STIX::Common::Timestamp->new('2014-05-08T09:00:00'),
292					name => 'IP Address for known C2 channel',
293					description => 'Test description C2 channel.',
294					indicator_types => ['malicious-activity'],
295					pattern => "[ipv4-addr:value = '10.0.0.0']",
296					valid_from => STIX::Common::Timestamp->new('2014-05-08T09:00:00'),
297					);
298
299					# Functional interface
300
301					use STIX qw(:all);
302
303					my $bundle = bundle(
304					objects => [
305					indicator(
306					pattern_type => 'stix',
307					created => '2014-05-08T09:00:00',
308					name => 'IP Address for known C2 channel',
309					description => 'Test description C2 channel.',
310					indicator_types => ['malicious-activity'],
311					pattern => "[ipv4-addr:value = '10.0.0.0']",
312					valid_from => '2014-05-08T09:00:00',
313					)
314					]
315					);
316
317
318					=head1 DESCRIPTION
319
320					Structured Threat Information Expression (STIX) is a language for expressing
321					cyber threat and observable information.
322
323					L
324
325
326					=head2 Tags
327
328					=over
329
330					=item :all
331
332					Import all STIX objects
333
334					=item :common
335
336					Import all common objects
337
338					=item :sco
339
340					Import all STIX Cyber-observable Objects
341
342					=item :sdo
343
344					Import all STIX Domain Objects
345
346					=item :sro
347
348					Import all STIX Relationship Objects
349
350					=item :tlp
351
352					Import TLP (Traffic Light Protocol) statement marking
353
354					=back
355
356
357					=head2 STIX Domain Objects
358
359					STIX defines a set of STIX Domain Objects (SDOs): Attack Pattern, Campaign,
360					Course of Action, Grouping, Identity, Indicator, Infrastructure, Intrusion
361					Set, Location, Malware, Malware Analysis, Note, Observed Data, Opinion,
362					Report, Threat Actor, Tool, and Vulnerability. Each of these objects
363					corresponds to a concept commonly used in CTI.
364
365					=over
366
367					=item attack_pattern
368
369					Return L object.
370
371					=item campaign
372
373					Return L object.
374
375					=item course_of_action
376
377					Return L object.
378
379					=item grouping
380
381					Return L object.
382
383					=item identity
384
385					Return L object.
386
387					=item incident
388
389					Return L object.
390
391					=item indicator
392
393					Return L object.
394
395					=item infrastructure
396
397					Return L object.
398
399					=item intrusion_set
400
401					Return L object.
402
403					=item location
404
405					Return L object.
406
407					=item malware
408
409					Return L object.
410
411					=item malware_analysis
412
413					Return L object.
414
415					=item note
416
417					Return L object.
418
419					=item observed_data
420
421					Return L object.
422
423					=item opinion
424
425					Return L object.
426
427					=item report
428
429					Return L object.
430
431					=item threat_actor
432
433					Return L object.
434
435					=item tool
436
437					Return L object.
438
439					=item vulnerability
440
441					Return L object.
442
443					=back
444
445
446					=head2 STIX Cyber-observable Objects
447
448					STIX defines a set of STIX Cyber-observable Objects (SCOs) for
449					characterizing host-based and network-based information. SCOs are used by
450					various STIX Domain Objects (SDOs) to provide supporting context. The
451					Observed Data SDO, for example, indicates that the raw data was observed at
452					a particular time.
453
454					STIX Cyber-observable Objects (SCOs) document the facts concerning what
455					happened on a network or host, and do not capture the who, when, or why. By
456					associating SCOs with STIX Domain Objects (SDOs), it is possible to convey
457					a higher-level understanding of the threat landscape, and to potentially
458					provide insight as to the who and the why particular intelligence may be
459					relevant to an organization. For example, information about a file that
460					existed, a process that was observed running, or that network traffic
461					occurred between two IPs can all be captured as SCOs.
462
463					=over
464
465					=item artifact
466
467					Return L object.
468
469					=item autonomous_system
470
471					Return L object.
472
473					=item directory
474
475					Return L object.
476
477					=item domain_name
478
479					Return L object.
480
481					=item email_addr
482
483					Return L object.
484
485					=item email_message
486
487					Return L object.
488
489					=item file
490
491					Return L object.
492
493					=item ipv4_addr
494
495					Return L object.
496
497					=item ipv6_addr
498
499					Return L object.
500
501					=item mac_addr
502
503					Return L object.
504
505					=item mutex
506
507					Return L object.
508
509					=item network_traffic
510
511					Return L object.
512
513					=item process
514
515					Return L object.
516
517					=item software
518
519					Return L object.
520
521					=item url
522
523					Return L object.
524
525					=item user_account
526
527					Return L object.
528
529					=item windows_registry_key
530
531					Return L object.
532
533					=item x509_certificate
534
535					Return L object.
536
537					=back
538
539
540					=head3 Types
541
542					=over
543
544					=item alternate_data_stream_type
545
546					Return L object.
547
548					=item email_mime_part_type
549
550					Return L object.
551
552					=item windows_registry_value_type
553
554					Return L object.
555
556					=item x509_v3_extensions_type
557
558					Return L object.
559
560					=back
561
562
563					=head3 Extensions
564
565					=over
566
567					=item archive_ext
568
569					Return L object.
570
571					=item http_request_ext
572
573					Return L object.
574
575					=item icmp_ext
576
577					Return L object.
578
579					=item ntfs_ext
580
581					Return L object.
582
583					=item pdf_ext
584
585					Return L object.
586
587					=item raster_image_ext
588
589					Return L object.
590
591					=item socket_ext
592
593					Return L object.
594
595					=item tcp_ext
596
597					Return L object.
598
599					=item unix_account_ext
600
601					Return L object.
602
603					=item windows_process_ext
604
605					Return L object.
606
607					=item windows_service_ext
608
609					Return L object.
610
611					=back
612
613
614					=head2 STIX Relationship Objects
615
616					A relationship is a link between STIX Domain Objects (SDOs), STIX
617					Cyber-observable Objects (SCOs), or between an SDO and a SCO that describes
618					the way in which the objects are related. Relationships can be represented
619					using an external STIX Relationship Object (SRO) or, in some cases, through
620					certain properties which store an identifier reference that comprises an
621					embedded relationship.
622
623					=over
624
625					=item relationship
626
627					Return L object.
628
629					=item sighting
630
631					Return L object.
632
633					=back
634
635
636					=head2 Common Objects
637
638					STIX Domain Objects (SDOs) and Relationship Objects (SROs) all share a
639					common set of properties which provide core capabilities such as versioning
640					and data markings (representing how data can be shared and used). All STIX
641					Cyber-observable Objects (SCOs) likewise share a common set of properties
642					that are applicable for all SCOs. Similarly, STIX Meta Objects (SMOs) use
643					some but not all of the common properties.
644
645					=over
646
647					=item bundle
648
649					Return L object.
650
651					=item extension_definition
652
653					Return L object.
654
655					=item external_reference
656
657					Return L object.
658
659					=item granular_marking
660
661					Return L object.
662
663					=item kill_chain_phase
664
665					Return L object.
666
667					=item marking_definition
668
669					Return L object.
670
671					=back
672
673
674					=head3 TLP
675
676					=over
677
678					=item tlp_white
679
680					Return L object.
681
682					=item tlp_green
683
684					Return L object.
685
686					=item tlp_amber
687
688					Return L object.
689
690					=item tlp_red
691
692					Return L object.
693
694					=back
695
696
697
698					=head1 SUPPORT
699
700					=head2 Bugs / Feature Requests
701
702					Please report any bugs or feature requests through the issue tracker
703					at L.
704					You will be notified automatically of any progress on your issue.
705
706					=head2 Source Code
707
708					This is open source software. The code repository is available for
709					public review and contribution under the terms of the license.
710
711					L
712
713					git clone https://github.com/giterlizzi/perl-STIX.git
714
715
716					=head1 AUTHOR
717
718					=over 4
719
720					=item * Giuseppe Di Terlizzi
721
722					=back
723
724
725					=head1 LICENSE AND COPYRIGHT
726
727					This software is copyright (c) 2024 by Giuseppe Di Terlizzi.
728
729					This is free software; you can redistribute it and/or modify it under
730					the same terms as the Perl 5 programming language system itself.
731
732					=cut