Skip to content

utility for gathering anonymized metrics about stix/cybox object usage

Notifications You must be signed in to change notification settings

JasonKeirstead/cti-stats

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

41 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

cti-stats

What is it?

  • A utility for gathering anonymized metrics about STIX/CybOX object usage.

Why?

  • The OASIS CTI standards technical committees are trying to make informed choices about refactoring STIX and CybOX. Unfortunately, we're not privy to the vast majority of the relevant data due to the confidentiality requirements of the various sharing communities out there (ISACs, ISAOs, etc.) The idea is that authorized personnel from these various sharing communities can run this utility to gather anonymous statistics about STIX/CybOX object usage within their group and share that back with the OASIS CTI co-chairs.

How to install it?

  1. Clone this repository: git clone https://github.com/Soltra/cti-stats.git
    • It's recommended that you do not run cti-stats on your production repository to avoid resource-contention. Of course, you're free to point cti-stats at localhost, but it's wiser to run it from a different box. (For ideal performance, a box collocated in the same network subnet.)
  2. cd cti-stats
  3. Instantiate a Python virtual environment: virtualenv python_env
  4. Activate the Python virtual environment: source python_env/bin/activate
  5. Install the necessary Python dependencies: pip install -r requirements.txt

How to run it?

  • You have two basic options: polling a TAXII feed or recursing through a directory containing CTI.

Polling a TAXII feed

  1. Configure a temporary account on your CTI repository (Soltra Edge or whatever. which is authorized to poll your entire repository.
  2. Review cti-stats usage: ./cti-stats --help
  3. Run cti-stats, passing the appropriate arguments depending on your environment
    • Certain parameters have defaults if not otherwise specified. Refer to the output of ./cti-stats --help for clarification.
    • For an example, to run cti-stats against Hail a TAXII: ./cti-stats --user=guest --pass='guest' --host=hailataxii.com --port=80 --use-ssl=False --validate-cert=False --taxii-stats

Recursing a directory

  1. Identify a directory containing CTI you wish to analyze.
  2. Review cti-stats usage: ./cti-stats --help
  3. Run cti-stats, passing the appropriate arguments depending on your environment
    • Certain parameters have defaults if not otherwise specified. Refer to the output of ./cti-stats --help for clarification.
    • For an example: ./cti-stats --target-dir=~/cti_sample_data/ --file-stats

What to do with your analysis results

  1. Depending on the quantity of CTI data in your repository, you might have to wait a while for the results to be computed so go make a cup of coffee or work on something else while this runs in the background. In any case, cti-stats prints a progressbar with ETA on the console, so even if it takes a long time to run, you at least now how the progress is going.
  2. Eventually, you should get some output that looks like this:
+-------STIX stats------------------------------------------------------+
+-------STIX percentages------------------------------------------------+
ttps: 6.00%
indicators: 93.00%
+-------STIX counts-----------------------------------------------------+
ttps: 62
indicators: 914
Total STIX objects: 976

+-------CybOX stats-----------------------------------------------------+
+-------CybOX percentages-----------------------------------------------+
DomainName: 100.00%
+-------CybOX counts----------------------------------------------------+
DomainName: 914
Total CybOX objects: 914
  1. Send the output to one or more of the OASIS CTI co-chairs:
    • Trey Darley
    • Ivan Kirillov
    • You may opt to omit the total counts info for confidentiality reasons but at least send us the percentages!

About

utility for gathering anonymized metrics about stix/cybox object usage

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages