Validate STIX 2 Patterns.
Project description
This is an OASIS Open Repository. See the Governance section for more information.
The STIX 2 Pattern Validator is a software tool for checking the syntax of the Cyber Threat Intelligence (CTI) STIX Pattern expressions, which are used within STIX to express conditions (represented with the Cyber Observable data model) that indicate particular cyber threat activity. The repository contains source code, an ANTLR grammar, automated tests and associated documentation for the tool. The validator can be used as a command-line tool or as a Python library which can be included in other applications.
Requirements
Python 2.6, 2.7, 3.3, 3.4, 3.5, or 3.6
ANTLR grammar runtime (4.7 or newer):
antlr4-python2-runtime (Python 2.7)
antlr4-python3-runtime (Python 3)
enum34 (Python 3.3)
typing (Python 3.0-3.4)
Installation
Using pip is highly recommended:
$ pip install stix2-patterns
For more information about installing Python packages, see the Python Packaging User Guide.
Usage
The STIX Pattern Validator provides an executable script (validate-patterns) in addition to being an importable Python library.
The validate-patterns script accepts patterns from either direct user input or a file passed as an option.
From Python Code
The run_validator function can be called on any Python string. It returns a list of errors encountered while parsing the pattern.
from stix2patterns.validator import run_validator
pattern = "[file-object:hashes.md5 = '79054025255fb1a26e4bc422aef54eb4']"
errors = run_validator(pattern)
User Input
When prompted, enter a pattern to validate and press enter. The validator will supply whether the pattern has passed or failed. If the pattern fails the test, the validator will supply where the first syntax error occurred. The validator will continue to prompt for patterns until Ctrl-C is pressed. Example:
$ validate-patterns
Enter a pattern to validate: [file-object:hashes.md5 = '79054025255fb1a26e4bc422aef54eb4']
PASS: [file-object:hashes.md5 = '79054025255fb1a26e4bc422aef54eb4']
File Input
$ validate-patterns -f <path_to_file>
Use <path_to_file> to specify the path to a file containing a set of patterns to validate. Each pattern must be on a separate line of the file so that the validator may determine where the pattern begins and ends. The validator will supply the PASS/FAIL result of each pattern.
Testing
The STIX Pattern Validator’s test suite can be run with pytest.
You can also test against the examples provided in the supplied examples.txt file.
$ validate-patterns -f stix2patterns/test/spec_examples.txt
Updating the Grammar
The ANTLR pattern grammar is maintained in the stix2-json-schemas repository. If the grammar changes, the code in this repository should be updated to match. To do so, use the Java ANTLR package to generate new Python source files. (The .jar file is not needed for normal use of the validator).
Download antlr-4.7-complete.jar from http://www.antlr.org/download/
Clone the stix2-json-schemas repository or download the STIXPattern.g4 file.
Change to the directory containing the STIXPattern.g4 file.
Run the following command
$ java -jar "/path/to/antlr-4.7-complete.jar" -Dlanguage=Python2 STIXPattern.g4 -o /path/to/cti-pattern-validator/stix2patterns/grammars
Commit the resulting files to git.
Governance
This GitHub public repository ( https://github.com/oasis-open/cti-pattern-validator ) was proposed and approved [bis] by the OASIS Cyber Threat Intelligence (CTI) TC as an OASIS Open Repository to support development of open source resources related to Technical Committee work.
While this Open Repository remains associated with the sponsor TC, its development priorities, leadership, intellectual property terms, participation rules, and other matters of governance are separate and distinct from the OASIS TC Process and related policies.
All contributions made to this Open Repository are subject to open source license terms expressed in the BSD-3-Clause License. That license was selected as the declared “Applicable License” when the Open Repository was created.
As documented in “Public Participation Invited”, contributions to this OASIS Open Repository are invited from all parties, whether affiliated with OASIS or not. Participants must have a GitHub account, but no fees or OASIS membership obligations are required. Participation is expected to be consistent with the OASIS Open Repository Guidelines and Procedures, the open source LICENSE designated for this particular repository, and the requirement for an Individual Contributor License Agreement that governs intellectual property.
Maintainers
Open Repository Maintainers are responsible for oversight of this project’s community development activities, including evaluation of GitHub pull requests and preserving open source principles of openness and fairness. Maintainers are recognized and trusted experts who serve to implement community goals and consensus design preferences.
Initially, the associated TC members have designated one or more persons to serve as Maintainer(s); subsequently, participating community members may select additional or substitute Maintainers, per consensus agreements.
Current Maintainers of this Open Repository
Greg Back; GitHub ID: https://github.com/gtback; WWW: MITRE
Ivan Kirillov; GitHub ID: https://github.com/ikiril01; WWW: MITRE
About OASIS Open Repositories
Feedback
Questions or comments about this Open Repository’s activities should be composed as GitHub issues or comments. If use of an issue/comment is not possible or appropriate, questions may be directed by email to the Maintainer(s) listed above. Please send general questions about Open Repository participation to OASIS Staff at repository-admin@oasis-open.org and any specific CLA-related questions to repository-cla@oasis-open.org.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.