Skip to main content

Validate STIX 2 Patterns.

Project description


This is an `OASIS Open Repository
See the `Governance <#governance>`__ section for more information.

The STIX 2 Pattern Validator is a software tool for checking the syntax
of the Cyber Threat Intelligence (CTI) STIX Pattern expressions, which
are used within STIX to express conditions (represented with the Cyber
Observable data model) that indicate particular cyber threat activity.
The repository contains source code, an ANTLR grammar, automated tests
and associated documentation for the tool. The validator can be used as
a command-line tool or as a Python library which can be included in
other applications.

|Travis-CI Build Status|


- `Python <>`__ 2.6, 2.7, 3.3, 3.4, 3.5, or 3.6
- ANTLR grammar runtime (4.7 or newer):

- `antlr4-python2-runtime <>`__
(Python 2.7)
- `antlr4-python3-runtime <>`__
(Python 3)

- `enum34 <>`__ (Python 3.3)
- `six <>`__
- `typing <>`__ (Python 3.0-3.4)


Using `pip <>`__ is highly recommended:

.. code:: bash

$ pip install stix2-patterns

For more information about installing Python packages, see the `Python
Packaging User Guide <>`__.


The STIX Pattern Validator provides an executable script
(``validate-patterns``) in addition to being an importable Python

The ``validate-patterns`` script accepts patterns from either direct
user input or a file passed as an option.

>From Python Code

The ``run_validator`` function can be called on any Python string. It
returns a list of errors encountered while parsing the pattern.

.. code:: python

from stix2patterns.validator import run_validator

pattern = "[file-object:hashes.md5 = '79054025255fb1a26e4bc422aef54eb4']"
errors = run_validator(pattern)

User Input

When prompted, enter a pattern to validate and press enter. The
validator will supply whether the pattern has passed or failed. If the
pattern fails the test, the validator will supply where the first syntax
error occurred. The validator will continue to prompt for patterns until
Ctrl-C is pressed. Example:

.. code:: bash

$ validate-patterns

Enter a pattern to validate: [file-object:hashes.md5 = '79054025255fb1a26e4bc422aef54eb4']

PASS: [file-object:hashes.md5 = '79054025255fb1a26e4bc422aef54eb4']

File Input

.. code:: bash

$ validate-patterns -f <path_to_file>

Use <path\_to\_file> to specify the path to a file containing a set of
patterns to validate. Each pattern must be on a separate line of the
file so that the validator may determine where the pattern begins and
ends. The validator will supply the PASS/FAIL result of each pattern.


The STIX Pattern Validator's test suite can be run with
`pytest <>`__.

You can also test against the examples provided in the supplied
``examples.txt`` file.

.. code:: bash

$ validate-patterns -f stix2patterns/test/spec_examples.txt

Updating the Grammar

The ANTLR pattern grammar is maintained in the
`stix2-json-schemas <>`__
repository. If the grammar changes, the code in this repository should
be updated to match. To do so, use the Java ANTLR package to generate
new Python source files. (The .jar file is not needed for normal use of
the validator).

1. Download antlr-4.7-complete.jar from
2. Clone the stix2-json-schemas repository or download the
STIXPattern.g4 file.
3. Change to the directory containing the STIXPattern.g4 file.
4. Run the following command

.. code:: bash

$ java -jar "/path/to/antlr-4.7-complete.jar" -Dlanguage=Python2 STIXPattern.g4 -o /path/to/cti-pattern-validator/stix2patterns/grammars

5. Commit the resulting files to git.


This GitHub public repository (
**** ) was
`proposed <>`__
`approved <>`__
[`bis <>`__\ ] by the
`OASIS Cyber Threat Intelligence (CTI)
TC <>`__ as an `OASIS Open
Repository <>`__
to support development of open source resources related to Technical
Committee work.

While this Open Repository remains associated with the sponsor TC, its
development priorities, leadership, intellectual property terms,
participation rules, and other matters of governance are `separate and
distinct <>`__
from the OASIS TC Process and related policies.

All contributions made to this Open Repository are subject to open
source license terms expressed in the `BSD-3-Clause
License <>`__.
That license was selected as the declared `"Applicable
License" <>`__
when the Open Repository was created.

As documented in `"Public Participation
Invited <>`__",
contributions to this OASIS Open Repository are invited from all
parties, whether affiliated with OASIS or not. Participants must have a
GitHub account, but no fees or OASIS membership obligations are
required. Participation is expected to be consistent with the `OASIS
Open Repository Guidelines and
Procedures <>`__,
the open source
`LICENSE <>`__
designated for this particular repository, and the requirement for an
`Individual Contributor License
Agreement <>`__
that governs intellectual property.


Open Repository
`Maintainers <>`__
are responsible for oversight of this project's community development
activities, including evaluation of GitHub `pull
requests <>`__
`preserving <>`__
open source principles of openness and fairness. Maintainers are
recognized and trusted experts who serve to implement community goals
and consensus design preferences.

Initially, the associated TC members have designated one or more persons
to serve as Maintainer(s); subsequently, participating community members
may select additional or substitute Maintainers, per `consensus
agreements <>`__.

Current Maintainers of this Open Repository

- `Greg Back <>`__; GitHub ID:; WWW: `MITRE <>`__
- `Ivan Kirillov <>`__; GitHub ID:; WWW: `MITRE <>`__

About OASIS Open Repositories

- `Open Repositories: Overview and
Resources <>`_
- `Frequently Asked
Questions <>`_
- `Open Source
Licenses <>`_
- `Contributor License Agreements
(CLAs) <>`_
- `Maintainers' Guidelines and
Agreement <>`_


Questions or comments about this Open Repository's activities should be
composed as GitHub issues or comments. If use of an issue/comment is not
possible or appropriate, questions may be directed by email to the
Maintainer(s) `listed above <#currentMaintainers>`__. Please send
general questions about Open Repository participation to OASIS Staff at and any specific CLA-related questions

.. |Travis-CI Build Status| image::

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

stix2-patterns-0.4.1.tar.gz (29.3 kB view hashes)

Uploaded Source

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page