From 728e8cd29e8226073cad5c5ecae5479d9342e990 Mon Sep 17 00:00:00 2001 From: Richard van den Berg Date: Tue, 27 Jan 2015 09:54:52 +0100 Subject: [PATCH 1/6] Preserve indicator comments in STIX export --- app/files/scripts/misp2stix.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/app/files/scripts/misp2stix.py b/app/files/scripts/misp2stix.py index ee708b83d..7d0288f12 100644 --- a/app/files/scripts/misp2stix.py +++ b/app/files/scripts/misp2stix.py @@ -263,6 +263,8 @@ def generateThreatActor(attribute): def generateIndicator(attribute): indicator = Indicator() indicator.id_= namespace[1] + ":indicator-" + attribute["uuid"] + if attribute["comment"] != "": + indicator.description = attribute["comment"] setTLP(indicator, attribute["distribution"]) indicator.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute["uuid"] confidence_description = "Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none" From 09511986e7e4610176d188aa6b9e43031a6b014a Mon Sep 17 00:00:00 2001 From: Richard van den Berg Date: Wed, 28 Jan 2015 17:48:11 +0100 Subject: [PATCH 2/6] Map most MISP attribute comments into STIX --- app/files/scripts/misp2cybox.py | 2 ++ app/files/scripts/misp2stix.py | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/app/files/scripts/misp2cybox.py b/app/files/scripts/misp2cybox.py index be0211408..c7b594c07 100644 --- a/app/files/scripts/misp2cybox.py +++ b/app/files/scripts/misp2cybox.py @@ -190,6 +190,8 @@ def returnAttachmentComposition(attribute): observable.observable_composition = composition else: observable = Observable(file_object) + if attribute["comment"] != "": + observable.description = attribute["comment"] return observable # email-attachment are mapped to an email message observable that contains the attachment as a file object diff --git a/app/files/scripts/misp2stix.py b/app/files/scripts/misp2stix.py index 7d0288f12..c5f87e286 100644 --- a/app/files/scripts/misp2stix.py +++ b/app/files/scripts/misp2stix.py @@ -215,6 +215,8 @@ def handleNonIndicatorAttribute(incident, ttps, attribute): elif attribute["type"] == "target-machine": aa = AffectedAsset() aa.description = attribute["value"] + if attribute["comment"] != "": + aa.description += " " + attribute["comment"] incident.affected_assets.append(aa) elif attribute["type"] == "vulnerability": generateTTP(incident, attribute) @@ -248,6 +250,8 @@ def generateTTP(incident, attribute): malware.add_name(attribute["value"]) ttp.behavior = Behavior() ttp.behavior.add_malware_instance(malware) + if attribute["comment"] != "": + ttp.description = attribute["comment"] relatedTTP = RelatedTTP(ttp, relationship=attribute["category"]) incident.leveraged_ttps.append(relatedTTP) @@ -257,6 +261,8 @@ def generateThreatActor(attribute): ta.id_= namespace[1] + ":threatactor-" + attribute["uuid"] ta.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute["uuid"] ta.description = attribute["value"] + if attribute["comment"] != "": + ta.description += " " + attribute["comment"] return ta # generate the indicator and add the relevant information From 0aa09fec4dd0798bb94096df6fac8f425605b959 Mon Sep 17 00:00:00 2001 From: Richard van den Berg Date: Thu, 29 Jan 2015 17:14:01 +0100 Subject: [PATCH 3/6] Fix string assignments to StructuredText --- app/files/scripts/misp2stix.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/app/files/scripts/misp2stix.py b/app/files/scripts/misp2stix.py index c5f87e286..fc10b476d 100644 --- a/app/files/scripts/misp2stix.py +++ b/app/files/scripts/misp2stix.py @@ -214,9 +214,10 @@ def handleNonIndicatorAttribute(incident, ttps, attribute): addJournalEntry(incident, entry_line) elif attribute["type"] == "target-machine": aa = AffectedAsset() - aa.description = attribute["value"] if attribute["comment"] != "": - aa.description += " " + attribute["comment"] + aa.description = attribute["value"] + " " + attribute["comment"] + else + aa.description = attribute["value"] incident.affected_assets.append(aa) elif attribute["type"] == "vulnerability": generateTTP(incident, attribute) @@ -260,9 +261,10 @@ def generateThreatActor(attribute): ta = ThreatActor() ta.id_= namespace[1] + ":threatactor-" + attribute["uuid"] ta.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute["uuid"] - ta.description = attribute["value"] if attribute["comment"] != "": - ta.description += " " + attribute["comment"] + ta.description = attribute["value"] + " " + attribute["comment"] + else + ta.description = attribute["value"] return ta # generate the indicator and add the relevant information From 883fe0786155a657c2de51429bcde46b885dce71 Mon Sep 17 00:00:00 2001 From: Richard van den Berg Date: Thu, 29 Jan 2015 17:20:57 +0100 Subject: [PATCH 4/6] Fixed typo --- app/files/scripts/misp2stix.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/files/scripts/misp2stix.py b/app/files/scripts/misp2stix.py index fc10b476d..9d89970be 100644 --- a/app/files/scripts/misp2stix.py +++ b/app/files/scripts/misp2stix.py @@ -216,7 +216,7 @@ def handleNonIndicatorAttribute(incident, ttps, attribute): aa = AffectedAsset() if attribute["comment"] != "": aa.description = attribute["value"] + " " + attribute["comment"] - else + else: aa.description = attribute["value"] incident.affected_assets.append(aa) elif attribute["type"] == "vulnerability": From e6e66f3f1c13bebaed34bb75f2649814330d18d2 Mon Sep 17 00:00:00 2001 From: Richard van den Berg Date: Thu, 29 Jan 2015 17:21:54 +0100 Subject: [PATCH 5/6] Fixed typo --- app/files/scripts/misp2stix.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/files/scripts/misp2stix.py b/app/files/scripts/misp2stix.py index 9d89970be..b25eb8f35 100644 --- a/app/files/scripts/misp2stix.py +++ b/app/files/scripts/misp2stix.py @@ -263,7 +263,7 @@ def generateThreatActor(attribute): ta.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute["uuid"] if attribute["comment"] != "": ta.description = attribute["value"] + " " + attribute["comment"] - else + else: ta.description = attribute["value"] return ta From c3615eff320c205fa8bd58d5e614cb32cfab5e12 Mon Sep 17 00:00:00 2001 From: Richard van den Berg Date: Thu, 29 Jan 2015 17:24:44 +0100 Subject: [PATCH 6/6] Pretify some comments --- app/files/scripts/misp2stix.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/files/scripts/misp2stix.py b/app/files/scripts/misp2stix.py index b25eb8f35..28b0659d1 100644 --- a/app/files/scripts/misp2stix.py +++ b/app/files/scripts/misp2stix.py @@ -215,7 +215,7 @@ def handleNonIndicatorAttribute(incident, ttps, attribute): elif attribute["type"] == "target-machine": aa = AffectedAsset() if attribute["comment"] != "": - aa.description = attribute["value"] + " " + attribute["comment"] + aa.description = attribute["value"] + " (" + attribute["comment"] + ")" else: aa.description = attribute["value"] incident.affected_assets.append(aa) @@ -262,7 +262,7 @@ def generateThreatActor(attribute): ta.id_= namespace[1] + ":threatactor-" + attribute["uuid"] ta.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute["uuid"] if attribute["comment"] != "": - ta.description = attribute["value"] + " " + attribute["comment"] + ta.description = attribute["value"] + " (" + attribute["comment"] + ")" else: ta.description = attribute["value"] return ta