Merge pull request #2536 from RichieB2B/stix-mispobjects

Add MISP objects to STIX export

app/files/scripts/misp2cybox.py

@@ -25,6 +25,7 @@ hash_type_attributes = {"single":["md5", "sha1", "sha224", "sha256", "sha384", "
 simple_type_to_method = {}
 simple_type_to_method.update(dict.fromkeys(hash_type_attributes["single"] + hash_type_attributes["composite"] + ["attachment"], "resolveFileObservable"))
 simple_type_to_method.update(dict.fromkeys(["ip-src", "ip-dst", "ip-src|port", "ip-dst|port"], "generateIPObservable"))
+simple_type_to_method.update(dict.fromkeys(["port"], "generatePortObservable"))
 simple_type_to_method.update(dict.fromkeys(["domain|ip"], "generateDomainIPObservable"))
 simple_type_to_method.update(dict.fromkeys(["regkey", "regkey|value"], "generateRegkeyObservable"))
 simple_type_to_method.update(dict.fromkeys(["hostname", "domain", "url", "AS", "mutex", "named pipe", "link"], "generateSimpleObservable"))
@@ -202,6 +203,13 @@ def generateIPObservable(indicator, attribute):
     else:
         return address_object
 
+def generatePortObservable(indicator, attribute):
+    port_object = Port()
+    port_object.port_value = attribute["value"]
+    port_object.port_value.condition = "Equals"
+    port_object.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":PortObject-" + attribute["uuid"]
+    return port_object
+
 def generateRegkeyObservable(indicator, attribute):
     indicator.add_indicator_type("Host Characteristics")
     regkey = ""

app/files/scripts/misp2stix.py

@@ -99,6 +99,7 @@ def generateSTIXObjects(event):
     setOrg(incident, event["Org"]["name"])
     setTag(incident, event["Tag"])
     resolveAttributes(incident, ttps, event["Attribute"])
+    resolveObjects(incident, ttps, event["Object"])
     return [incident, ttps]
 
 
@@ -111,6 +112,26 @@ def setDates(incident, date, published):
     incident_time.incident_reported = timestamp
     incident.time = incident_time
 
+# decide what to do with the objects, as not all of them will become indicators
+def resolveObjects(incident, ttps, objects):
+    for obj in objects:
+        tmp_incident = Incident()
+        resolveAttributes(tmp_incident, ttps, obj["Attribute"])
+        indicator = Indicator(timestamp=getDateFromTimestamp(int(obj["timestamp"])))
+        indicator.id_= namespace[1] + ":MispObject-" + obj["uuid"]
+        if obj["comment"] != "":
+            indicator.description = obj["comment"]
+        setTLP(indicator, obj["distribution"])
+        indicator.title = obj["name"] + " (MISP Object #" + obj["id"] + ")"
+        indicator.description = indicator.title
+        indicator.add_indicator_type("Malware Artifacts")
+        indicator.add_valid_time_position(ValidTime())
+        indicator.observable_composition_operator = "AND"
+        for rindicator in tmp_incident.related_indicators:
+            indicator.add_observable(rindicator.item.observable)
+        relatedIndicator = RelatedIndicator(indicator, relationship=obj["meta-category"])
+        incident.related_indicators.append(relatedIndicator)
+
 # decide what to do with the attribute, as not all of them will become indicators
 def resolveAttributes(incident, ttps, attributes):
     for attribute in attributes: