MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

fix: Fixed direction of the relationship between files, PEs and their sections 

- The file object includes a PE, and the PE
  includes sections, not the other way round
- Backward compatibility with the events created
  with 'included-in' at the relationship_type
  between those objects
pull/4939/head
chrisr3d 2019-07-24 16:00:39 +02:00
parent cecaae759c
commit 6a4ab5272d
No known key found for this signature in database
GPG Key ID: 6BBED1B63A6D639F
4 changed files with 11 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
app/files/scripts/misp2stix.py
View File

@ -312,7 +312,7 @@ class StixBuilder(object):
win_exec_file = WinExecutableFile()
self.fill_file_object(win_exec_file, file_dict)
for reference in file_object['ObjectReference']:
if reference['relationship_type'] == "included-in" and reference['Object']['name'] == "pe":
if reference['relationship_type'] in ("includes", "included-in") and reference['Object']['name'] == "pe":
pe_uuid = reference['referenced_uuid']
break
pe_object = self.objects_to_parse['pe'][pe_uuid]
@ -349,7 +349,7 @@ class StixBuilder(object):
pe_section_object = self.objects_to_parse['pe-section'][reference['referenced_uuid']]
to_ids_section, section_dict = self.create_attributes_dict(pe_section_object['Attribute'])
to_ids_list.append(to_ids_section)
if reference['relationship_type'] == "included-in":
if reference['relationship_type'] in ("includes", "included-in"):
pe_sections.append(self.create_pe_section_object(section_dict))
elif reference['relationship_type'] == "header-of":
entropy = self.create_pe_file_header(section_dict, pe_file_header)
@ -809,7 +809,7 @@ class StixBuilder(object):
if misp_object.get('ObjectReference'):
to_parse = False
for reference in misp_object['ObjectReference']:
if reference['relationship_type'] == 'included-in' and reference['Object']['name'] == "pe":
if reference['relationship_type'] in ('includes', 'included-in') and reference['Object']['name'] == "pe":
self.objects_to_parse[misp_object['name']][uuid] = misp_object
to_parse = True
break

4
app/files/scripts/stix2/misp2stix2.py
View File

@ -239,7 +239,7 @@ class StixBuilder():
name = misp_object['name']
if name == 'file' and misp_object.get('ObjectReference'):
for reference in misp_object['ObjectReference']:
if reference['relationship_type'] == 'included-in' and reference['Object']['name'] == "pe":
if reference['relationship_type'] in ('includes', 'included-in') and reference['Object']['name'] == "pe":
self.objects_to_parse[name][misp_object['uuid']] = to_ids, misp_object
return
try:
@ -262,7 +262,7 @@ class StixBuilder():
file_id = "file--{}".format(file_object['uuid'])
to_ids_list = [to_ids_file]
for reference in file_object['ObjectReference']:
if reference['relationship_type'] == "included-in" and reference['Object']['name'] == "pe":
if reference['relationship_type'] in ("includes", "included-in") and reference['Object']['name'] == "pe":
pe_uuid = reference['referenced_uuid']
break
to_ids_pe, pe_object = self.objects_to_parse['pe'][pe_uuid]

8
app/files/scripts/stix2/stix2misp.py
View File

@ -455,7 +455,7 @@ class StixParser():
self.fill_object_attributes_observable(pe_section, pe_section_mapping, section)
section_uuid = str(uuid.uuid4())
pe_section.uuid = section_uuid
pe.add_reference(section_uuid, 'included-in')
pe.add_reference(pe_section.uuid, 'includes')
self.misp_event.add_object(**pe_section)
self.misp_event.add_object(**pe)
return pe_uuid
@ -613,7 +613,7 @@ class StixFromMISPParser(StixParser):
attributes = self.objects_mapping[object_type]['observable'](observable)
if isinstance(attributes, tuple):
attributes, pe_uuid = attributes
misp_object.add_reference(pe_uuid, 'included-in')
misp_object.add_reference(pe_uuid, 'includes')
for attribute in attributes:
misp_object.add_attribute(**attribute)
misp_object.to_ids = (labels[2].split('=')[1][1:-1].lower() == 'true')
@ -854,7 +854,7 @@ class StixFromMISPParser(StixParser):
'value': value, 'to_ids': True})
section_uuid = str(uuid.uuid4())
pe_section.uuid = pe_uuid
pe.add_reference(section_uuid, 'included-in')
pe.add_reference(pe_section.uuid, 'includes')
self.misp_event.add_object(**pe_section)
self.misp_event.add_object(**pe)
return attributes, pe_uuid
@ -1234,7 +1234,7 @@ class ExternalStixParser(StixParser):
def handle_pe_case(self, extension, attributes, uuid):
pe_uuid = self.parse_pe(extension)
file_object = self.create_misp_object(attributes, 'file', uuid)
file_object.add_reference(pe_uuid, 'included-in')
file_object.add_reference(pe_uuid, 'includes')
self.misp_event.add_object(**file_object)
def parse_asn_observable(self, objects, marking, uuid):

4
app/files/scripts/stix2misp.py
View File

@ -604,7 +604,7 @@ class StixParser():
if properties.sections:
for section in properties.sections:
section_uuid = self.parse_pe_section(section)
misp_object.add_reference(section_uuid, 'included-in')
misp_object.add_reference(section_uuid, 'includes')
self.misp_event.add_object(**misp_object)
return {"pe_uuid": misp_object.uuid}
@ -687,7 +687,7 @@ class StixParser():
# if some complementary data is a dictionary containing an uuid,
# it means we are using it to add an object reference
if "pe_uuid" in compl_data:
misp_object.add_reference(compl_data['pe_uuid'], 'included-in')
misp_object.add_reference(compl_data['pe_uuid'], 'includes')
if "process_uuid" in compl_data:
for uuid in compl_data["process_uuid"]:
misp_object.add_reference(uuid, 'connected-to')