-
Notifications
You must be signed in to change notification settings - Fork 16
/
README
261 lines (202 loc) · 10.9 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
****************************************************
STIX Viz v1alpha5
Copyright (c) 2014 - The MITRE Corporation
All rights reserved. See LICENSE.txt for complete terms.
****************************************************
BY USING THE STIX VIZ APPLICATION, YOU SIGNIFY YOUR ACCEPTANCE OF THE
TERMS AND CONDITIONS OF USE. IF YOU DO NOT AGREE TO THESE TERMS, DO NOT USE
THE STIX VIZ APPLICATION.
For more information, please refer to the terms.txt file.
#################################################################
StixViz v1.0 alpha5
Compatible with STIX v1.0.1
This is a proof of concept prototype to visualize a set of Structured Threat Information eXpression (STIX™) documents
as a node-link tree with the root at the top of the XML structure.
StixViz is implemented in Javascript as a standalone application using the node-webkit
application runtime which is based on the Chromium rendering engine and node.js.
To use STIXViz, first select a set of related XML files using the
'Choose Files' menu.
STIXViz v1.0a5 includes three different views of STIX documents: Graph View,
Tree View and Timeline View. These views show the same information using different layouts.
To switch between views, use the drop-down menu at the top of the
window. On startup, the default view is Graph View.
Graph View
Graph View displays the same entities as tree view, but in a fully connected
graph layout. The graph view uses a force-directed graph layout in order to
dynamically position the nodes. Nodes may be dragged into a new position,
in which case the layout will dynamically reconfigure itself.
Nodes in the Graph View are expandable. The display begins with all but the top two
levels collapsed. To view the underlying structure of a node, single-click on the node
and it will expand. Single-click again and the node will collapse. Leaf nodes
are nodes with no children, and are represented by a washed-out color scheme and
no dark border.
By default, the graph includes "Grouping" nodes which are a parent of all nodes of the same
type. To remove these grouping nodes and see just the entity nodes in the graph, click
the "Ungroup" button in the menu bar.
Hovering over a node in graph view highlights the links with other nodes. In-links
are shown in blue and out-links in green.
Nodes may be fixed in position using the right-button context menu on each
node. If a node is fixed, it may be dragged to a new position and it will stay
where it was placed. Nodes may be un-fixed again using the context menu.
Nodes and links may be filtered using the Filter menu on the left of the screen. Uncheck
checkbox next to a node type to hide all nodes of that type. Click the plus sign next
to a node type to see a list of all link types associated with that node type. Filter
links using the checkboxes next to the link types.
Nodes may also be hidden using the context menu. To re-display a hidden node,
click on its parent node.
Tree View
STIXViz Tree View displays a tree containing nodes for top
level STIX entities: campaign, course of action, exploit target,
incident, indicator, observable, threat actor, and TTP. When the tree
first displays, there is a top level node shown for each component type
included in the xml files processed. Nodes with a black and white
border can be expanded with a single click.
Each category of top level "items" is turned into a node in the tree.
The nodes themselves are expandable to show the structure of the relationships
between entities.
A down arrow on a link indicates that the child node is specified as
part of the parent node's XML. For instance, a campaign will contain
links with down arrows to indicator nodes specified by
campaign:Related_Indicators.
An up arrow indicates that the parent node is specified via an idRef
attribute in the child node. For instance, a threat actor will contain
links to it from incident nodes that specify it under
incident:Threat_Actors.
Long node names are truncated in the tree view. Mousing over a named
node will display the node's id if it has one, as well as the full
version of the text used as it's name.
A double click on a node will cause it to become the root node of the
tree, hiding other branches from view. Double click on the root node
again to walk back up the tree.
Timeline View
The timeline view shows timestamped entities within a STIX document, such as
incidents and their associated activities. Events that occur at a single point
in time are represented by a dot, and events that occur over a period of time (with a
start and end time) are represented by a horizontal bar. Different types of
events are displayed with different colors, as denoted by the legend at the
upper right of the timeline view.
The timeline can be zoomed and scrolled. When a new STIX file is loaded, it will
initially display the full extent of the time period represented in the file. To zoom in on
a specific period of time within the file, you can click and drag on the Overview bar
below the main timeline display. When a region of time in the overview bar is selected,
the main timeline will zoom in on that region of time. You can then scroll the selected
area within the overview bar and the main display will scroll to show the corresponding
time interval.
HTML Transform
The 'Show HTML' menu at the top of the page can be used to display an
XSLT transformed file at the bottom of the STIXViz window. In both Tree View and
Graph View, nodes that have an id specified in the XML file can be displayed
in the HTML view as well. To do this, click right on the node and select 'Show HTML'.
This is a work in progress. Feedback is most welcome!
requirements:
- node webkit framework including mime module from node.js (currently tested with node-webkit v0.9.2)
- node.js (currently tested with version 0.10.13)
- bootstrap.js (v3.0)
- d3.js (v3)
- jquery and jquery-ui (tested with jquery 1.10.2)
- Stix HTML package (tested with v1beta4)
- one or more STIX 1.0 input xml documents
- Java 1.7 executable for XSLT transforms
- Java Gson package (tested with 2.2.4)
- Saxon HE (tested with version 9.5.3)
v1.0alpha5
2014-06-13
STIX - https://stixproject.github.io/
#################################################################
--------------------------------------------------------------------------------
--Included Files----------------------------------------------------------------
README: this file.
LICENSE.txt
-src
-nodejs: Runnable NodeJS package
index.html: The main html page for the application
package.json: node-webkit config file for the StixViz app
java.exe: Java executable needed for xslt STIX to HTML transform
-public
-js
StixViz.js: Top level StixViz app
JavaRpcClient.js: Remote connection to Java processing of XML transform
STIXJsonGeneration.js:Manages conversion of STIX files into JSON
STIXRelationshipJson.js: Transforms STIX XML into JSON data structure for tree layout
STIXTTPProcessing.js: Converts TTP structure to JSON
STIXNameResolver.js: Determine node names
STIXRelationshipTree.js: Displays the tree structure
STIXRelationshipGraph.js: Displays the graph structure
STIXTTPProcessing.js: Process TTPs into Json
STIXXSLTTransformer.js: Converts XML to HTML
STIXUtilities.js: Utilities for XML to JSON conversion
STIXRelationshipTimeline.js: Displays the Timeline view
STIXTimelineJson.js: converts STIX to JSON Format for timeline
-bootstrap
bootstrap.min.js
-d3
d3.v3.js
-jquery
jquery-1.10.2.min.js
-jquery-ui
jquery-ui-1.10.3.custom.min.js
jquery.ui.draggable.js
-plugin
jquery.layout-latest.min.js
-xslt
-images
directory of icon images
cybox_common.xsl
icons.xsl
normalize.xsl
stix_common.xsl
stix_to_html.xsl
common.js
wgxpath.install.js
common.css
theme_default.css
-css
stixLayout.css: common styles used by all views
treeLayout.css: Stylesheet for tree display
graphLayout.css: Stylesheet for graph view
timeline.css: Stylesheet for timeline view
-bootstrap
bootstrap.min.css
-jquery-ui
jquery-ui-1.10.3.custom.min.css
-plugin
layout-default.css
-node_modules
mime
node.js mime package contents
-dist
NodeRpc.jar: java package for handling remote procedure calls to perform XSLT transform
-java
Source code for the Java RPC library to respond to requests for XSLT transform. The executable jar file
containing this code is included in the "dist" directory of the nodejs package.
--------------------------------------------------------------------------------
--Usage Notes-------------------------------------------------------------------
Building:
The StixViz app depends on the node.js "mime" module which is available from the npm package management system.
The mime module is already included in the node_modules directory of this package. To
reinstall the mime module, be sure you have node.js installed, then cd to the root directory of the StixViz app
and execute the command:
> npm install mime
To run the StixViz app using node-webkit, execute the following command:
> nw.exe {path to StixViz main directory}
To package the StixViz app to run standalone perform the following steps on Windows:
1. Create a zip file (NOT zipx) containing index.html, package.json, the public directory and the node_modules directory
2. Name the zip file StixViz.nw
3. At the command prompt run
> copy /b nw.exe+StixViz.nw StixViz.exe
This will create an executable StixViz.exe
4. The executable requires the following files that come with the node-webkit distribution to be on the path:
nw.pak
icudt.dll
ffmpegsumo.dll
libEGL.dll
libGLESv2.dll
On other platforms follow the instructions from https://github.com/rogerwang/node-webkit/wiki/How-to-package-and-distribute-your-apps
-- Runnning from Binary Executable --
A pre-packaged Java 7 executable is available from the GitHub release page at
https://github.com/STIXProject/stix-viz/releases/download/v1.0.5a/StixVizDistro_Windows_java7.zip
A pre-packaged Java 8 executable is available from the GitHub release page at
https://github.com/STIXProject/stix-viz/releases/download/v1.0.5a/StixVizDistro_Windows_Java8.zip
To run the pre-packaged Windows executable, extract all of the files included in the zip file into a directory and double click the file StixViz.exe.
A pre-packaged Mac OSX executable can be downloaded from https://github.com/STIXProject/stix-viz/releases/download/v1.0.5a/StixViz_Mac.zip.
Extract StixViz.app from the zip file.