A pure Rust library for MISP (Malware Information Sharing Platform) data models and STIX 2.1 conversion.
- Complete MISP Data Models - All core MISP structures (Events, Attributes, Objects, Galaxies, Sightings, etc.)
- 213 Attribute Types - 100% coverage of official MISP attribute types with validation
- 105 Object Templates - Comprehensive object template support
- Bidirectional STIX 2.1 Conversion - Convert between MISP and STIX formats
- Full Validation - Type-safe attribute validation with proper error handling
- Zero API Dependencies - Pure data model library, bring your own HTTP client
This library is perfect for:
- Building custom MISP API clients
- MISP ↔ STIX conversion utilities
- Threat intelligence data processing pipelines
- MISP data validation and normalization
- Integration with other threat intelligence platforms
Add this to your Cargo.toml:
[dependencies]
misp-rs = "0.1.0"use misp_rs::models::event::Event;
use misp_rs::models::attribute::Attribute;
use misp_rs::validation::attribute_type::AttributeType;
fn main() -> Result<(), Box<dyn std::error::Error>> {
// Create a new MISP event
let mut event = Event::default();
event.info = "Malware Campaign - APT28".to_string();
event.threat_level_id = Some("1".to_string()); // High
// Add attributes with type validation
let ip_attr = Attribute::new(
AttributeType::IpDst,
"192.168.1.100".to_string()
)?;
event.attributes.push(ip_attr);
let hash_attr = Attribute::new(
AttributeType::Sha256,
"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855".to_string()
)?;
event.attributes.push(hash_attr);
// Serialize to JSON
let json = serde_json::to_string_pretty(&event)?;
println!("{}", json);
Ok(())
}use misp_rs::models::event::Event;
use misp_rs::convert::{ToMisp, FromMisp};
use stix_rs::bundle::Bundle;
fn main() {
// Create MISP event
let mut event = Event::default();
event.info = "Threat Intelligence Report".to_string();
// Convert MISP → STIX
let stix_bundle = Bundle::from_misp(&event);
println!("STIX Bundle has {} objects", stix_bundle.objects.len());
// Convert STIX → MISP
let result = stix_bundle.to_misp_event();
if let Some(misp_event) = result.successful.get(0) {
println!("Converted back to MISP: {}", misp_event.info);
}
}use misp_rs::models::attribute::Attribute;
use misp_rs::validation::attribute_type::AttributeType;
fn main() -> Result<(), Box<dyn std::error::Error>> {
// Valid IP address - succeeds
let valid = Attribute::new(AttributeType::IpDst, "8.8.8.8".to_string())?;
// Invalid IP address - returns error
let invalid = Attribute::new(AttributeType::IpDst, "not-an-ip".to_string());
assert!(invalid.is_err());
// Composite attributes (filename|hash)
let composite = Attribute::new(
AttributeType::FilenameMd5,
"malware.exe|d41d8cd98f00b204e9800998ecf8427e".to_string()
)?;
Ok(())
}use misp_rs::convert::templates::{get_templates, ObjectTemplate};
use misp_rs::models::object::Object;
fn main() {
let templates = get_templates();
println!("Available templates: {}", templates.len());
// Find specific template
for template in templates {
if template.name() == "file" {
let mut obj = Object::default();
obj.name = "file".to_string();
if let Some(stix_obj) = template.to_stix(&obj) {
println!("Converted to STIX: {:?}", stix_obj);
}
}
}
}All 191+ official MISP attribute types are supported, including:
- Network:
ip-dst,ip-src,domain,url,hostname,mac-address,asn,uri, etc. - File Hashes:
md5,sha1,sha256,sha512,ssdeep,imphash,authentihash, etc. - Email:
email-dst,email-src,email-subject,email-attachment, etc. - Financial:
btc,iban,cc-number,bank-account-nr, etc. - Person/Identity:
first-name,passport-number,phone-number, etc. - Detection:
yara,sigma,snort,suricata - And many more...
See the full list in src/validation/attribute_type.rs
105+ object templates including:
- Files:
file,pe,elf,lnk,pdf - Network:
network-connection,http-request,dns-record,whois - Email:
email,email-attachment - Mobile:
android-app,ios-app - Cloud:
aws-ec2-instance,azure-application,docker-container - And many more...
This is a pure data model library with no API client functionality:
misp-rs/
├── models/ # Complete MISP data structures
├── validation/ # Attribute type validation
├── convert/ # STIX 2.1 conversion logic
│ └── templates/ # 105+ object templates
└── errors/ # Typed error handling
This library focuses on data models and conversion. For API interactions, use your favorite HTTP client:
use misp_rs::models::event::Event;
use reqwest;
async fn get_event(url: &str, api_key: &str, event_id: &str)
-> Result<Event, Box<dyn std::error::Error>>
{
let client = reqwest::Client::new();
let response = client
.get(&format!("{}/events/{}", url, event_id))
.header("Authorization", api_key)
.header("Accept", "application/json")
.send()
.await?;
let event: Event = response.json().await?;
Ok(event)
}See the examples/ directory:
create_event.rs- Creating MISP events with attributesstix_conversion.rs- Bidirectional MISP ↔ STIX conversion
Run examples with:
cargo run --example create_event
cargo run --example stix_conversioncargo testAll tests include:
- Attribute type validation
- MISP ↔ STIX conversion
- Event validation
- Composite attribute handling
- Serialization/deserialization
Contributions are welcome! Please feel free to submit a Pull Request.
MIT License - see LICENSE file for details