OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti] Golang libstix2 updates

Some thoughts;
For us at least, most all usage of custom properties are complex (we have a custom property that underneath it has a JSON object with a bunch of sub properties, it's not just a string)
I am unsure why, you are saving the custom property as a byte array. Why wouldn't you just decode the JSON and save it as an object as per normal? It would make it easier to work with. 
Jason Keirstead
Chief Architect - IBM Security Threat Management

"Would you like me to give you a formula for success? It's quite simple, really. Double your rate of failure."

- Thomas J. Watson
----- Original message -----
From: Bret Jordan <bret.jordan@broadcom.com>
Sent by: <cti@lists.oasis-open.org>
To: OASIS CTI TC Discussion List <cti@lists.oasis-open.org>
Subject: [EXTERNAL] [cti] Golang libstix2 updates
Date: Fri, Jan 10, 2020 2:07 AM

I have been working on my libstix2 libraries for Golang (https://github.com/freetaxii/libstix2) and have added basic support for all of the STIX 2.1 objects. In addition I have been working on adding support for custom properties. This note explains how they work. Right now I only have it working for Attack Patterns, but I will copy the code across all of the objects soon, unless someone has a better way of solving this problem.

A) First, letâs deal with the decoding of an attack pattern JSON string that has a custom property called âsome_custom_propertyâ, where that custom property is of type string.

You may have an attack pattern that looks like this:
    "type": "attack-pattern",
    "spec_version": "2.1",
    "id": "attack-pattern--d62e1eff-eb93-42e2-bd90-dabff3b93427",
    "created": "2018-06-05T18:25:15.917Z",
    "modified": "2018-06-05T18:25:15.917Z",
    "name": "Phishing",
    "aliases": ["Banking1", "ATM2"],
    "some_custom_property": "some_custom_value"

In your code you have consumed this JSON string and stored it in a []byte called âfooâ. So you could decode it by doing:

o, _ := attackpattern.Decode(foo)

This will give you an attack pattern object called âoâ and all of the custom properties will be stored in a property called âo.Customâ which is a map[string]*json.RawMessage. This means that we will have all of the key names for the custom properties, but all of their values will be untouched and left as a []byte.  So we are not decoding the values at this stage. So if you do not know how to process them, you do not need to worry about it. Just store them as an array of bytes.

If you were to print out o.Custom you would get:
map[some_custom_property:[34 115 111 109 101 95 99 117 115 116 111 109 95 118 97 108 117 101 34]]

Then when you want to process that data in o.Custom, if you know how to, you would just unmarshal those properties, such as:

var data string
json.Unmarshal(o.Custom["some_custom_property"], &data)

If you were to print out value of âdataâ you would get:

B) Second, letâs deal with encoding and adding properties to the objects that I have defined in my library. You would create a new type and embed the one from my library in it, like so:

type myCustomAttackPattern struct {
    SomeCustomProperty string `json:"some_custom_propety,omitempty"`

Then in your main program you could do:

o := attackpattern.New()
customAP := myCustomAttackPattern{AttackPattern: o}


o := attackpattern.New()
var customAP myCustomAttackPattern
customAP.AttackPattern = o

At this point you can then populate your new custom property with data and encode it like so:

customAP.SomeCustomProperty = "some custom string data"
data, - := json.MarshalIndent(customAP, "", "    ")

Now if you print out âdataâ you will get an attack pattern with your new custom property.

    "type": "attack-pattern",
    "spec_version": "2.1",
    "id": "attack-pattern--2b88c3ff-410d-44c4-9056-2ead668ab13c",
    "created": "2020-01-10T05:52:30.494Z",
    "modified": "2020-01-10T05:52:30.494Z",
    "some_custom_propety": "some custom string data"

I have two examples in my examples directory that show this, 06-decode-custom-properties.go and 07-use-custom-properties.go
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]