stix2
| Crates.io | stix2 |
| lib.rs | stix2 |
| version | 0.1.1 |
| created_at | 2026-01-01 05:25:36.273197+00 |
| updated_at | 2026-01-01 06:12:36.83485+00 |
| description | A Rust implementation of STIX 2.1 (Structured Threat Information Expression) |
| homepage | https://cysecurity.org/ |
| repository | https://github.com/CSPF-Founder/darwis-taxii |
| max_upload_size | |
| id | 2015786 |
| size | 876,902 |
Cyber Security and Privacy Foundation (CSPF-Founder)
documentation
README
stix2
A Rust implementation of STIX 2.1 (Structured Threat Information Expression) for representing and exchanging cyber threat intelligence.
Features
- STIX Domain Objects (SDOs): Attack Pattern, Campaign, Course of Action, Grouping, Identity, Incident, Indicator, Infrastructure, Intrusion Set, Location, Malware, Malware Analysis, Note, Observed Data, Opinion, Report, Threat Actor, Tool, Vulnerability
- STIX Relationship Objects (SROs): Relationship, Sighting
- STIX Cyber Observable Objects (SCOs): Artifact, Autonomous System, Directory, Domain Name, Email Address, Email Message, File, IPv4/IPv6 Address, MAC Address, Mutex, Network Traffic, Process, Software, URL, User Account, Windows Registry Key, X.509 Certificate
- Data Markings: TLP (Traffic Light Protocol), Statement markings
- Pattern Language: Full parser for STIX indicator patterns
- DataStore Abstractions: Memory store, FileSystem store, Composite data sources
- Validation: Property validation per STIX specification
- Versioning: Object versioning and revocation utilities
- Equivalence: Semantic equivalence and similarity checking
- Graph Analysis: Relationship graph traversal and analysis
- Canonicalization: Deterministic JSON canonicalization with hashing
- STIX 2.0 Compatibility: Parse and detect STIX 2.0 content
Installation
Add to your Cargo.toml:
[dependencies]
stix2 = "0.1"
Feature Flags
default- Core functionality (no async)async- Enables async datastore operations with tokio and reqwesttaxii- Enables TAXII client support (includesasync)
# With async support
stix2 = { version = "0.1", features = ["async"] }
Quick Start
use stix2::prelude::*;
fn main() -> stix2::Result<()> {
// Create an indicator
let indicator = Indicator::builder()
.name("Malicious File Hash")
.pattern("[file:hashes.'SHA-256' = 'abc123']")
.pattern_type(PatternType::Stix)
.valid_from_now()
.build()?;
// Serialize to JSON
let json = stix2::serialize_pretty(&indicator)?;
println!("{}", json);
// Parse from JSON
let parsed: StixObject = stix2::parse(&json)?;
Ok(())
}
Working with Bundles
use stix2::prelude::*;
fn main() -> stix2::Result<()> {
// Create a bundle with multiple objects
let mut bundle = Bundle::new();
let threat_actor = ThreatActor::builder()
.name("APT28")
.threat_actor_types(vec![ThreatActorType::NationState])
.build()?;
let malware = Malware::builder()
.name("X-Agent")
.is_family(true)
.malware_types(vec![MalwareType::Backdoor])
.build()?;
bundle.add_object(threat_actor);
bundle.add_object(malware);
// Serialize the bundle
let json = stix2::serialize_pretty(&bundle)?;
Ok(())
}
DataStore Usage
use stix2::prelude::*;
fn main() -> stix2::Result<()> {
// Create an in-memory store
let mut store = MemoryStore::new();
let indicator = Indicator::builder()
.name("Test Indicator")
.pattern("[domain-name:value = 'malicious.com']")
.pattern_type(PatternType::Stix)
.valid_from_now()
.build()?;
// Add to store
store.add(indicator.into())?;
// Query with filters
let results = store.query(vec![
Filter::new("type", "=", "indicator"),
])?;
Ok(())
}
STIX Pattern Parsing
use stix2::patterns::Pattern;
fn main() -> stix2::Result<()> {
let pattern_str = "[file:hashes.'SHA-256' = 'abc123'] AND [domain-name:value = 'evil.com']";
let pattern = Pattern::parse(pattern_str)?;
// Analyze the parsed pattern
println!("Pattern: {:?}", pattern);
Ok(())
}
License
BSD-3-Clause